HTTP¶

In order of preference, set these headers in:

Strict-Transport-Security (HSTS)¶

If not already set (like via SECURE_HSTS_SECONDS in Django), set the header to:

max-age=31536000; includeSubdomains; preload

If not already set (like via SECURE_CONTENT_TYPE_NOSNIFF in Django), set the header to:

nosniff

One-time setup

Generate a policy:
- Visit the website in Chrome
- Open the extension, and click the Start Building Policy button
- Navigate to every page of the website with unique assets
- Click two Next buttons, and copy the Content-Security-Policy-Report-Only textbox

Edit the policy:

Delete all 'report-sample' values
Delete all directives whose policy is 'self' only, except for the default-src directive
Add a frame-ancestors 'none' directive
Edit remaining directives:

Directive	Minimum	Typical
`script-src`	Omit	`'self'`, plus external sources like `https://cdn.usefathom.com/script.js`
`style-src`	Omit	`'self'`, plus external sources
`img-src`	Omit	`'self' data:` if using data URLs, plus external sources like `https://cdn.usefathom.com`
`font-src`	Omit	`'self' data:` if using data URLs, plus external sources
`frame-src`	Omit	`'self'`, plus external embeds like Power BI, Google Docs or YouTube
`connect-src`	Omit	`'self'`, plus external connections like Google Analytics, other APIs or JSON files
`object-src`	`'none'`
`worker-src`	`'none'`
`frame-ancestors`	`'none'`

Deploy and test the policy.

For example, the extensionlist Sphinx directive breaks if the connect-src CSP directive isn’t configured correctly.

A minimalist Content-Security-Policy header is:

default-src 'self';
object-src 'none';
worker-src 'none';
frame-ancestors 'none'

Note

Django 6.0 adds CSP support and is expected December 2025. Django 6.2 LTS is expected April 2027.