Skip to content

Commit

Permalink
add note to docs about nonce
Browse files Browse the repository at this point in the history
  • Loading branch information
@prauscher
prauscher committed Apr 30, 2024
1 parent e2d2c20 commit bd63d19
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions docs/source/contents/security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,11 @@ guides: djangosaml2 will automatically blend in and update the headers for
POST-bindings, so you must not include exceptions for djangosaml2 in your
global configuration.

Note that to enable autosubmit of post-bindings inline-javascript is used. To
allow execution of this autosubmit-code a nonce is included, which works in
default configuration but may not work if you modify `CSP_INCLUDE_NONCE_IN`
to exclude `script-src`.

You can specify a custom CSP handler via the `SAML_CSP_HANDLER` setting and the
warning can be disabled by setting `SAML_CSP_HANDLER=''`. See the
[djangosaml2](https://djangosaml2.readthedocs.io/) documentation for more
Expand Down

0 comments on commit bd63d19

Please sign in to comment.