Closing the gap: strict CSP in the Django world

Screenshot of Django ticket #15727 assigned feature: Add support for Content-Security-Policy (CSP) to core

We’re very close to full compatibility with strict Content Security Policies (CSP) in Wagtail! CSP is a web security standard designed to prevent cross-site scripting (XSS) and data injection attacks.

While CSP offers substantial security benefits, its complexity has traditionally posed challenges for widespread adoption. We want to provide clear, developer-friendly pathways for implementing CSP is essential for broader use. And make sure the CMS compatibility with CSP isn’t a headache long-term.

Progress in Wagtail

We have been working on CSP improvements gradually over the years, with a key moment being the adoption of the Stimulus framework to refactor UI components in Wagtail. See RFC 78: Adopt Stimulus from core team member LB for a deep dive on our decision process. In 2025, we are pushing through the final compatibility issues and needed refactoring, thanks to a dedicated audit and follow-up Google Summer of Code project with our contributor Chiemezuo Akujobi 🚀.

The ultimate goal is for Wagtail to be compatible with the strictest "default-src 'self';", so developers have full flexibility on how strict of a CSP they want to enforce. Beyond the code changes, the current priorities for Wagtail’s CSP improvements include:

Documentation and defaults: Creating accessible documentation, including practical examples to assist developers in configuring and maintaining CSP effectively. Clearly communicating which Wagtail features would require CSP adjustments, so developers can make informed choices.
Ecosystem compatibility: Collaborating with package maintainers within the Wagtail ecosystem to ensure third-party packages support CSP with no additional configuration requirements.

Progress in Django

Rob Hudson has been instrumental in improving the CSP story for the whole Django ecosystem, taking on maintenance of the widely popular django-csp package, and now working on built-in CSP support in Django. These efforts aim to reduce complexity and make CSP implementation easier and more intuitive, helping developers secure Django-based applications without extensive overhead.

And having this done directly in Django will mean much better opportunities for the thousands of Django packages to roll out their own CSP support!

Calling package maintainers

To encourage CSP adoption, compatibility across the broader Django package ecosystem is essential. We recommend to:

Conduct audits of existing packages to evaluate needed changes. See our own CSP compatibility audit for Wagtail.
Update packaging guidelines for Django projects (such as our own Python Package Maintenance Guidelines) to require CSP support
Test early with in-progress work for CSP support in Django and Wagtail. Run your tests against Django’s main!

To get involved with those improvements, come say hi in #security or #packages in the Wagtail Slack! Or sign up to our newsletter to hear about this when it ships in upcoming Wagtail releases.

About

Features

Wagtail roadmap

Core team

Accessibility

Sustainability

Contact

Try Wagtail

Get Help

Developer documentation

Wagtail on GitHub

Wagtail User Guide

Wagtail packages

Wagtail AI

Localization and translations

Go headless with Wagtail

Release schedule

FAQs

Blog

Newsletter

Slack

Wagtail Space

Code of conduct

Who uses Wagtail?

Showcase

Wagtail for Government

Wagtail for Charities and Nonprofits

Wagtail for Cultural Institutions

Wagtail for Education

Wagtail for Businesses

Wagtail vs Wordpress

Wagtail vs Drupal

Wagtail services

Sponsor a feature