Skip to content

Security

CSP

A CSP is a header returned from a server request (or less often through a <meta> element in the <head> of the HTML) which states which resources can load on your page.

This helps reduce the risk of XSS attacks.

The CSP is a whitelist of domains, hashes and nonces for elements such as:

  • scripts
  • images
  • stylesheets
  • fonts
  • forms
  • iframes

When using Flask, use the flask-talisman extension to handle your CSP.

When using Django, use the django-csp extension to handle your CSP.

CSP is included in the TNA application templates that provide a frontend.

CSP for TNA Frontend

When using TNA Frontend with the application templates, the following CSP must be set as a minimum:

  • CSP_STYLE_SRC_ELEM='self',fonts.googleapis.com,p.typekit.net,use.typekit.net
  • CSP_FONT_SRC='self',fonts.gstatic.com,use.typekit.net

Environment variables

[TODO]