Subresource Integrity for Django.
pip install django-sri
And add sri to your INSTALLED_APPS.
Note: By default, integrity hashes are not output when DEBUG is True, as static files change a lot during local development. To override this, set USE_SRI to True.
django-sri is designed to primarily be used through template tags:
{% load sri %}
{% sri_static "index.js" %} <!-- Will output "<script src='/static/index.js' integrity='sha256-...'></script>" -->
{% sri_static "index.css" %} <!-- Will output "<link rel='stylesheet' href='/static/index.css' integrity='sha256-...'/>" -->
For performance, the hashes of files are caches in Django's caching framework. It will attempt to use the "sri" cache, but fall back to "default" if it doesn't exist. The cache keys are the hash of the file path in the specified algorithm in hex. Caches are stored for as long as DEFAULT_TIMEOUT is set to.
The SRI standard supports 3 algorithms: sha256, sha384 and sha512. By default, SHA256 is used. To override this, supply an additional algorithm argument to the sri template tag (or the specific ones):
{% load sri %}
{% sri_static "index.js" algorithm="sha512" %} <!-- Will output "<script src='/static/index.js' integrity='sha512-...'></script>" -->
The default algorithm can be changed by setting SRI_ALGORITHM to the required algorithm.
To add additional attributes to the output tag (such as async / defer), specify them as additional arguments to the template tag:
{% load sri %}
{% sri_static "index.js" 'defer' 'async'%}
{% sri_static "index.woff2" preload as="font" %}
To retrieve just the integrity hash (the contents of the integrity attribute), you can use the {% sri_integrity_static %} tag, which supports the same arguments as the other tags.
{% load sri %}
{% sri_integrity_static "index.js" "sha512" %} <!-- Will output "sha512-..." -->
For automatic tag output, the following files are supported:
.js.cssUnknown extensions will emit a link tag with the URL as the href attribute.
sri_integrity_static is unaffected by this limitation.
from pathlib import Path
from sri import calculate_integrity, calculate_integrity_of_static, Algorithm
calculate_integrity(Path("/path/to/myfile.txt")) # "sha256-..."
calculate_integrity_of_static("index.js") # "sha256-..."
calculate_integrity_of_static("index.js", Algorithm.SHA512) # "sha512-..."
Yes. django-sri outputs the static file URL in the same way the builtin static template tag does. This means the correct cachebusted URLs are output.
When using a manifest STATICFILES_STORAGE, django-sri will automatically retrieve the hashed and post-processed file as opposed to the original.
FAQs
Subresource Integrity for Django
We found that django-sri demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.