[Django] #37084: Add system check for CSP nonce policy without csp context processor

Tue, 05 May 2026 11:40:19 -0700 

#37084: Add system check for CSP nonce policy without csp context processor
-------------------------------------+-------------------------------------
     Reporter:  Rob Hudson           |                     Type:  New
                                     |  feature
       Status:  new                  |                Component:  Core
                                     |  (System checks)
      Version:  6.0                  |                 Severity:  Normal
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 When a project enables `ContentSecurityPolicyMiddleware` and includes
 `CSP.NONCE` in its policy, but does not configure the
 `django.template.context_processors.csp` context processor in `TEMPLATES`,
 the result is a silent security misconfiguration. The developer has the
 security of a non-nonce policy while believing they have nonce-based
 protection.

 Proposed check:

 Register a new security check that emits a Warning (or Error) when all of
 the following hold:
 1. `django.middleware.csp.ContentSecurityPolicyMiddleware` is in the
 middleware
 2. At least one configured policy contains `CSP.NONCE` as a source value
 3. No Django template engine in `TEMPLATES` lists
 `django.template.context_processors.csp`

 Possible message:
 Your CSP policy includes `CSP.NONCE` and `ContentSecurityPolicyMiddleware`
 is enabled, but the `django.template.context_processors.csp context
 processor` is not configured. The nonce will appear in the response header
 but not in rendered templates, so nonce-based protection will not take
 effect. Add "django.template.context_processors.csp" to the
 context_processors option of at least one Django template engine.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/37084>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019df970c518-ea8d0604-c99a-4c02-b675-c53195991521-000000%40eu-central-1.amazonses.com.

Reply via email to