Metadata-Version: 2.1
Name: django-debreach
Version: 2.1.0
Summary: Adds middleware to give some added protection against the BREACH attack in Django.
Home-page: http://github.com/lpomfrey/django-debreach
Author: Luke Pomfrey
Author-email: luke@lukepomfrey.org
Maintainer: Luke Pomfrey
Maintainer-email: luke@lukepomfrey.org
License: UNKNOWN
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Web Environment
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: BSD License
Classifier: Operating System :: OS Independent
Classifier: Framework :: Django
Classifier: Framework :: Django :: 2.2
Classifier: Framework :: Django :: 3.2
Classifier: Framework :: Django :: 4.0
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Classifier: Topic :: Internet :: WWW/HTTP
Requires-Python: >=3.7
License-File: LICENSE
License-File: AUTHORS.rst

django-debreach
===============

Extra mitigation against the `BREACH attack <http://breachattack.com/>`_ 
for Django projects. 

django-debreach provides additional protection to Django's built in CSRF
token masking by randomising the content length of each response. This is 
achieved by adding a random string of between 12 and 25 characters as a 
comment to the end of the HTML content. Note that this will only be applied to 
responses with a content type of ``text/html``.

When combined with the built-in mitigations in Django and rate limiting 
(either in your web-server, or by using something like 
`django-ratelimit <http://django-ratelimit.readthedocs.org/>`_), the 
techniques here should provide a fairly comprehensive protection against the 
BREACH attack.

.. image:: https://badge.fury.io/py/django-debreach.png
    :target: https://badge.fury.io/py/django-debreach
    :alt: PyPI
.. image:: https://travis-ci.org/lpomfrey/django-debreach.png?branch=master
    :target: https://travis-ci.org/lpomfrey/django-debreach
    :alt: Build status

.. image:: https://coveralls.io/repos/lpomfrey/django-debreach/badge.png?branch=master
    :target: https://coveralls.io/r/lpomfrey/django-debreach?branch=master
    :alt: Coverage

Installation & Usage
--------------------

Install from PyPI using::

    $ pip install django-debreach

To enable content length modification for all responses, add the
``debreach.middleware.RandomCommentMiddleware`` to the *start* of your
middleware, but *after* the ``GzipMiddleware`` if you are using that.::

    MIDDLEWARE_CLASSES = (
        'debreach.middleware.RandomCommentMiddleware',
        ...
    )

or::

    MIDDLEWARE_CLASSES = (
        'django.middleware.gzip.GzipMiddleware',
        'debreach.middleware.RandomCommentMiddleware',
        ...
    )

If you wish to disable this feature for selected views, simply apply the
``debreach.decorators.random_comment_exempt`` decorator to the view.

If you only want to protect a subset of views with content length modification
then it may be easier to not use the middleware, but to selectively apply the
``debreach.decorators.append_random_comment`` decorator to the views you want
protected.

Python 2 and Django < 2.0 support
---------------------------------

Version 2.0.0 drops all support for Python 2 and Django < 2.0. If you need 
support for those versions continue using ``django-debreach>=1.5.2,<2.0``.


