Opened 3 hours ago
Last modified 2 minutes ago
#37084 assigned New feature
Add system check for CSP nonce policy without csp context processor — at Initial Version
| Reported by: | Rob Hudson | Owned by: | |
|---|---|---|---|
| Component: | Core (System checks) | Version: | 6.0 |
| Severity: | Normal | Keywords: | csp nonce |
| Cc: | Rob Hudson | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
When a project enables ContentSecurityPolicyMiddleware and includes CSP.NONCE in its policy, but does not configure the django.template.context_processors.csp context processor in TEMPLATES, the result is a silent security misconfiguration. The developer has the security of a non-nonce policy while believing they have nonce-based protection.
Proposed check:
Register a new security check that emits a Warning (or Error) when all of the following hold:
django.middleware.csp.ContentSecurityPolicyMiddlewareis in the middleware- At least one configured policy contains
CSP.NONCEas a source value - No Django template engine in
TEMPLATESlistsdjango.template.context_processors.csp
Possible message:
Your CSP policy includes CSP.NONCE and ContentSecurityPolicyMiddleware is enabled, but the django.template.context_processors.csp context processor is not configured. The nonce will appear in the response header but not in rendered templates, so nonce-based protection will not take effect. Add "django.template.context_processors.csp" to the context_processors option of at least one Django template engine.