From a2bbede7d41a965b385e38780bd6b60a5f946fa7 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 10 May 2020 11:37:33 +0100 Subject: [PATCH] Add page for Django SRI --- content/projects/django-sri.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 content/projects/django-sri.md diff --git a/content/projects/django-sri.md b/content/projects/django-sri.md new file mode 100644 index 0000000..5ccffb7 --- /dev/null +++ b/content/projects/django-sri.md @@ -0,0 +1,25 @@ +--- +title: Django SRI +repo: RealOrangeOne/django-sri +subtitle: Subresource Integrity for Django +--- + +[Subresource integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) (SRI) is a way of securing your remote CSS and JS from being modified without your consent. This works by adding a hash of the file to the `script` or `link` tags, and if the remote file doesn't match, it's not executed. Most people would think this is only useful for JS, but even CSS can be used for [malicious purposes](https://css-tricks.com/css-keylogger/). + +If you're using scripts from a CDN, SRI gives you some confidence that the file won't change without your knowledge. If the CDN is compromised, or a malicious version is published, then yor users are safe. + +If you're using scripts hosted by yourself, then SRI can help prevent against man-in-the-middle attacks (albeit slightly), as well as ensure files are served exactly as you expect them to be. + +## Using SRI with Django + +SRI has been around for a while, as has Django, but no one has put the 2 together it seems. That's where [`django-sri`](https://github.com/{{< param "repo" >}}/) comes in. + +By installing and configuring it correctly, you're given a new `sri_static` template tag, which outputs a fully formed `script` or `link` tag, with the required integrity checks setup. + +``` +{% sri_static "index.js" %} +``` + +The integrity hash is calculated at request time, but is cached in memory to improve performance. The hashing is dome with `hashlib`, which is both fast and won't block the [GIL](https://docs.python.org/3/glossary.html#term-gil). + +interested in giving it a try? [Go install it](https://github.com/{{< param "repo" >}}/#installation)! This integration doesn't support remote assets, but that's coming!