Add warning and documentation iff django-csp can not be found

prauscher · prauscher · commit 1ae29057d44a · 2023-12-27T15:43:33.000Z
diff --git a/djangosaml2/views.py b/djangosaml2/views.py
@@ -76,6 +76,8 @@
     validate_referral_url,
 )
 
+logger = logging.getLogger("djangosaml2")
+
 # Update Content-Security-Policy headers for POST-Bindings
 try:
     from csp.decorators import csp_update
@@ -84,15 +86,18 @@
     # is not used
     def saml2_csp_update(view):
         return view
+
+    logger.warning("django-csp could not be found, not updating Content-Security-Policy. Please "
+                   "make sure CSP is configured at least by httpd or setup django-csp. See "
+                   "https://djangosaml2.readthedocs.io/contents/security.html#content-security-policy"
+                   " for more information")
 else:
     # script-src 'unsafe-inline' to autosubmit forms,
     # form-action https: to send data to IdPs
     saml2_csp_update = csp_update(
         SCRIPT_SRC=["'unsafe-inline'"], FORM_ACTION=["https:"]
     )
 
-logger = logging.getLogger("djangosaml2")
-
 
 def _set_subject_id(session, subject_id):
     session["_saml2_subject_id"] = code(subject_id)
diff --git a/docs/source/contents/security.md b/docs/source/contents/security.md
@@ -1,5 +1,5 @@
-Security considerations
-=======================
+Introduction
+============
 
 Authentication and Authorization are quite security relevant topics on its own.
 Make sure you understand SAML2 and its implications, specifically the
@@ -12,9 +12,24 @@ need for direct communication between SP and IdP. However, for security the use
 of cryptographic signatures (both while sending and receiving messages) must be
 examined and the private keys in use must be kept closely guarded.
 
+Content Security Policy
+=======================
+
 When using POST-Bindings, the Browser is presented with a small HTML-Form for
 every redirect (both Login and Logout), which is sent using JavaScript and
 sends the Data to the selected IdP. If your application uses technices such as
 Content Security Policy, this might affect the calls. Since Version 1.9.0
 djangosaml2 will detect if django-csp is installed and update the Content
 Security Policy accordingly.
+
+[Content Security Policy](https://content-security-policy.com/) is an important
+HTTP-Extension to prevent User Input or other harmful sources from manipulating
+application data. Usage is strongly advised, see
+[OWASP Control](https://owasp.org/www-community/controls/Content_Security_Policy).
+
+To enable CSP with [django-csp](https://django-csp.readthedocs.io/), simply
+follow their [installation](https://django-csp.readthedocs.io/en/latest/installation.html)
+and [configuration](https://django-csp.readthedocs.io/en/latest/configuration.html)
+guides: djangosaml2 will automatically blend in and update the headers for
+POST-bindings, so you must not include exceptions for djangosaml2 in your
+global configuration.
