You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Extra mitigation against the BREACH attack
for Django projects.
Note (that as of version 4.2 Django) includes this protection natively and this
library is not needed.
django-debreach provides additional protection to Django's built in CSRF
token masking by randomising the content length of each response. This is
achieved by adding a random string of between 12 and 25 characters as a
comment to the end of the HTML content. Note that this will only be applied to
responses with a content type of text/html.
When combined with the built-in mitigations in Django and rate limiting
(either in your web-server, or by using something like
django-ratelimit), the
techniques here should provide a fairly comprehensive protection against the
BREACH attack.
Installation & Usage
Install from PyPI using:
$ pip install django-debreach
To enable content length modification for all responses, add the
debreach.middleware.RandomCommentMiddleware to the start of your
middleware, but after the GzipMiddleware if you are using that.:
If you wish to disable this feature for selected views, simply apply the
debreach.decorators.random_comment_exempt decorator to the view.
If you only want to protect a subset of views with content length modification
then it may be easier to not use the middleware, but to selectively apply the
debreach.decorators.append_random_comment decorator to the views you want
protected.
Python 2 and Django < 2.0 support
Version 2.0.0 drops all support for Python 2 and Django < 2.0. If you need
support for those versions continue using django-debreach>=1.5.2,<2.0.
