1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
django-debreach
===============
Extra mitigation against the `BREACH attack <http://breachattack.com/>`_
for Django projects.
django-debreach provides additional protection to Django's built in CSRF
token masking by randomising the content length of each response. This is
achieved by adding a random string of between 12 and 25 characters as a
comment to the end of the HTML content. Note that this will only be applied to
responses with a content type of ``text/html``.
When combined with the built-in mitigations in Django and rate limiting
(either in your web-server, or by using something like
`django-ratelimit <http://django-ratelimit.readthedocs.org/>`_), the
techniques here should provide a fairly comprehensive protection against the
BREACH attack.
Installation & Usage
--------------------
Install from PyPI using::
$ pip install django-debreach
To enable content length modification for all responses, add the
``debreach.middleware.RandomCommentMiddleware`` to the *start* of your
middleware, but *after* the ``GzipMiddleware`` if you are using that.::
MIDDLEWARE_CLASSES = (
'debreach.middleware.RandomCommentMiddleware',
...
)
or::
MIDDLEWARE_CLASSES = (
'django.middleware.gzip.GzipMiddleware',
'debreach.middleware.RandomCommentMiddleware',
...
)
If you wish to disable this feature for selected views, simply apply the
``debreach.decorators.random_comment_exempt`` decorator to the view.
If you only want to protect a subset of views with content length modification
then it may be easier to not use the middleware, but to selectively apply the
``debreach.decorators.append_random_comment`` decorator to the views you want
protected.
Python 2 and Django < 2.0 support
---------------------------------
Version 2.0.0 drops all support for Python 2 and Django < 2.0. If you need
support for those versions continue using ``django-debreach>=1.5.2,<2.0``.
|
