## Djust Framework CSP Weakness: 'unsafe-inline' Requirement Exposes Apps to XSS Risk
The Djust web framework's current security posture contains a significant, systemic weakness: all applications built with it are forced to include the 'unsafe-inline' directive in their Content Security Policy (CSP). This directive is a major hole in XSS defense, permitting the execution of inline scripts and styles that CSP is designed to block. The requirement stems from Djust's own client runtime and theming system, which inject inline `<script>` and `<style>` tags without the cryptographic nonces required for a secure, nonce-based CSP.

This architectural choice is hard-coded into the framework's scaffold. The default `settings.py` file generated for new projects explicitly includes `'unsafe-inline'` in both `CSP_SCRIPT_SRC` and `CSP_STYLE_SRC` directives, with comments acknowledging the dependency on Djust's own inline code. While not an active, exploitable vulnerability, this design forces developers to adopt a weaker security model by default, undermining the robust CSP coverage that could otherwise be achieved.

The fix is identified as a low-severity enhancement but carries high strategic value. Implementing nonce support would require relatively minor changes to the Djust client runtime and the `djust-theming` package, following well-established Django patterns already supported by its template layer. Closing this gap would automatically and meaningfully strengthen the XSS defense posture for the entire ecosystem of Djust applications, moving them from a permissive to a strict CSP model.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: web security, Content Security Policy, XSS, Django, software architecture
- **Credibility**: unverified
- **Published**: 2026-04-10 21:22:46
- **ID**: 59505
- **URL**: https://whisperx.ai/en/intel/59505