django-feature-policy is now django-permissions-policy2021-04-13
I created django-feature-policy in 2018 allow Django projects to control the draft security header
Feature-Policy allows your site to restrict which origins can use some sensitive browser features, such as the the payments API or access to the webcam.
In 2020 a new specification renamed the header to
Permissions-Policy, with different syntax.
Browsers updated accordingly, so I also updated django-feature-policy.
I left it sending both the old and new forms so that older browser versions would remain protected.
A few weeks ago, I updated my package once more, renaming it to django-permissions-policy, and removing the old
This is because Chrome now logs warnings about the old
To update for the rename, I uploaded the new version as django-permissions-policy version 4.0.0, and released django-feature-policy 4.0.0 as an empty package that depends on the new name. Thanks to Simon Willison for his repo template demonstrating this technique.
If you are using django-feature-policy, updated and swap it for django-permissions-policy. And if you’re not, try it out, and score your site an extra grade on SecurityHeaders.com.
For reference, here’s the policy I’m using on DB Buddy:
This policy disables many privacy-sensitive features for all origins, including the site itself.
It also disables the
sync-xhr feature, which prevents AJAX requests from blocking the main thread - this helps performance rather than improving security.
If you add any policy to an existing site, be sure to test all functionality thoroughly with your browser console open.
To further boost your site’s security, check out my Django Security Headers Guide, although with renames like this it’s getting a little dated!
May your site be ever more secure,
Want better tests? Check out my book Speed Up Your Django Tests which teaches you to write faster, more accurate tests.
One summary email a week, no spam, I pinky promise.
© 2021 All rights reserved.