Django SRI

Subresource Integrity for Django

Subresource integrity (SRI) is a way of securing your remote CSS and JS from being modified without your consent. This works by adding a hash of the file to the script or link tags, and if the remote file doesn’t match, it’s not executed. Most people would think this is only useful for JS, but even CSS can be used for malicious purposes.

If you’re using scripts from a CDN, SRI gives you some confidence that the file won’t change without your knowledge. If the CDN is compromised, or a malicious version is published, then yor users are safe.

If you’re using scripts hosted by yourself, then SRI can help prevent against man-in-the-middle attacks (albeit slightly), as well as ensure files are served exactly as you expect them to be.

#Using SRI with Django

SRI has been around for a while, as has Django, but no one has put the two together it seems. That’s where django-sri comes in.

By installing and configuring it correctly, you’re given a new sri_static template tag, which outputs a fully formed script or link tag, with the required integrity checks set up.

HTML+Django/Jinja
{% sri_static "index.js" %} <!-- Will output "<script src='/static/index.js' integrity='sha256-...'></script>" -->

The integrity hash is calculated at request time, but is cached in memory to improve performance. The hashing is dome with hashlib, which is both fast and won’t block the GIL.

Interested in giving it a try? Go install it! This integration doesn’t support remote assets, but that’s coming!

Share this page