Abstract image of a woman sitting on books and studying on a laptop

Two scoops of Django - Security Best Practices

Spin Lai, profile picture
Spin Lai

The document outlines best practices for Django security, covering configurations, security features, and admin access. Key areas of focus include preventing XSS, CSRF, SQL injection, and clickjacking, as well as proper password storage and data validation. Recommendations also emphasize server hardening, timely updates, and careful management of environment variables.

SoftwareTechnologyBusiness
1 of 78
Downloaded 172 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
Two Scoops of Django Security Best Practices Spin Lai
Two scoops of Django - Security Best Practices
I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY !
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOW_HOSTS SECRET_KEY ! $ python manage.py --settings=[setting path] $ django-admin.py --settings=[setting path] $ export DJANGO_SETTINGS_MODULE=[setting path]
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! DEBUG = False ! TEMPLATE_DEBUG = False
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! # Must be set when DEBUG = False ALLOWED_HOSTS = [ 'localhost', 'www.example.com', '.example.com', '*' # Avoid ! ]
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! ‣ Configuration values, not code. ‣ DO NOT keep them in version control. ‣ Use environment variables.
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! ! def get_env_variable(varname): try: return os.environ[varname] except KeyError: msg = "Set the %s environment variable" % var_name raise ImporperlyConfigured(msg)
I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation ‣ Django by default escapes specific characters ‣ Be careful when using is_safe attribute ‣ Be very careful when storing HTML in Database
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() ‣ Random token value by CsrfViewMiddleware (CSRF cookie) ‣ `csrf_token` template tag generate hidden input ‣ Every request calls django.middleware.csrf.get_token() ‣ Compare CSRF cookie with `csrfmiddlewaretoken` value ‣ With HTTPS, CsrfViewMiddleWare will check referer header
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() ‣ Pass CSRF token as POST data with every POST request ‣ Set a custom `X-CSRFToken` header on each request ‣ CSRF cookie might not exist without `csrf_token` tag
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() var origSync = Backbone.sync; Backbone.sync = function (method, model, options) { options.beforeSend = function (xhr) { xhr.setRequestHeader('X-CSRFToken', $.cookie('csrftoken')); }; ! return origSync(method, model, options); };
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Injection protection • Script Injection • SQL Injection
Injection protection • Script Injection • SQL Injection ‣Beware of the eval(), exec() and execfile() ‣DO NOT use `pickle` module to serialize/deserialize data. ‣Only use safe_load() in PyYAML
Injection protection • Script Injection • SQL Injection ‣ Django Queryset escape varaibles automatically ‣ Be careful to escape raw SQL properly ‣ Exercise caution when using extra()
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support Whether or not a resource is allowed to load within a frame or iframe
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support MIDDLEWARE_CLASSES = ( ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... )
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support # Default X_FRAME_OPTIONS = 'SAMEORIGIN' ! X_FRAME_OPTIONS = 'DENY'
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support ‣ Internet Explorer 8+ ‣ Firefox 3.6.9+ ‣ Opera 10.5+ ‣ Safari 4+ ‣ Chrome 4.1+
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣ Web server configuration ‣ Django middleware ‣ SSL certificate from reputable source
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages SECURE_PROXY_SSL_HEADER = False ! $ export HTTPS=on
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages SESSION_COOKIE_SECURE = True ! CSRF_COOKIE_SECURE = True
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣Redirect HTTP links to HTTPS ‣Web server level configuration ‣HSTS-compliant browsers
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages Strict-Transport-Security: max-age=31536000, includeSubDomains
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣ django-sslify ‣ django-secure ‣ django-hstsmiddleware
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor <algorithm>$<iteration>$<salt>$<hash>
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', 'django.contrib.auth.hashers.MD5PasswordHasher', 'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher', 'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher', 'django.contrib.auth.hashers.CryptPasswordHasher', )
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • bcrypt • Increase work factor
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Data Validation • Django Forms • User-Uploaded Content
Data Validation • Django Forms • User-Uploaded Content ‣ Designed to validate Python dictionaries ‣ Not only for HTTP POST request ‣ DO NOT use ModelForms.Meta.exclude ‣ Use ModelForms.Meta.fields instead
Data Validation • Django Forms • User-Uploaded Content from django import forms from .models import Store ! class StoreForm(forms.ModelForm): ! class Meta: model = Store # Don't Do this!! excludes = ("pk", "slug", "modified")
Data Validation • Django Forms • User-Uploaded Content from django import forms from .models import Store ! class StoreForm(forms.ModelForm): ! class Meta: model = Store # Explicitly specifying what we want fields = ("title", "address", "email")
Data Validation • Django Forms • User-Uploaded Content ‣ Limit upload in web server ‣ FileField / ImageField ‣ python-magic ‣ Validate with specific file type library
Data Validation • Django Forms • User-Uploaded Content from django.utils.image import Image ! try: Image.open(file).verify() except Exception: # Pillow (or PIL) doesn't recognize it as an image. six.reraise(ValidationError, ValidationError( self.error_messages['invalid_image'], code='invalid_image', ), sys.exc_info()[2])
I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages ‣ Web server configuration ‣ Django middleware
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages ‣ django-admin-honeypot ‣ django-axes
I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date ‣ PCI-DSS Security Standards ‣ Sufficient Time/Resource/Funds ‣ Using 3rd-Party Services ‣ Beware of Open Source Solutions
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date ‣ Check access/error logs regularly ‣ Install monitoring tools
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
Keep Things Up-to-Date • Dependencies • Security Practices
Keep Things Up-to-Date • Dependencies • Security Practiceshttps://www.djangoproject.com/weblog/
Keep Things Up-to-Date • Dependencies • Security Practices
Keep Things Up-to-Date • Dependencies • Security Practices
Keep Things Up-to-Date • Dependencies • Security Practices
Thank You

More Related Content

PDF
Security in Node.JS and Express:
Petros Demetrakopoulos
 
PPTX
Server-side template injection- Slides
Amit Dubey
 
PPT
Hacking web applications
phanleson
 
PDF
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
PDF
Cross site scripting
n|u - The Open Security Community
 
PPTX
Cross site scripting
kinish kumar
 
PDF
Angular data binding
Sultan Ahmed
 
PDF
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Security in Node.JS and Express:
Petros Demetrakopoulos
 
Server-side template injection- Slides
Amit Dubey
 
Hacking web applications
phanleson
 
A Hacker's perspective on AEM applications security
Mikhail Egorov
 
Cross site scripting
n|u - The Open Security Community
 
Cross site scripting
kinish kumar
 
Angular data binding
Sultan Ahmed
 
Cross site scripting attacks and defenses
Mohammed A. Imran
 

What's hot (20)

PPTX
Maven tutorial
Dragos Balan
 
PPTX
Json Web Token - JWT
Prashant Walke
 
KEY
Authentication
soon
 
PDF
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
PDF
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
PDF
Angular - Chapter 4 - Data and Event Handling
WebStackAcademy
 
PPT
XSS and CSRF with HTML5
Shreeraj Shah
 
PPTX
Cross Site Scripting
Ali Mattash
 
PDF
Pentesting GraphQL Applications
Neelu Tripathy
 
PDF
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
PDF
The WAF book (Web App Firewall )
Lior Rotkovitch
 
PDF
Burp suite
Yashar Shahinzadeh
 
PPTX
Basics of Server Side Template Injection
Vandana Verma
 
PDF
Django Introduction & Tutorial
之宇 趙
 
PPTX
Codeinjection
Nitish Kumar
 
PDF
Sql injection bypassing hand book blackrose
Noaman Aziz
 
PPTX
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
PPTX
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
PDF
Angular Notes.pdf
sagarpal60
 
PPTX
Java Spring
AathikaJava
 
Maven tutorial
Dragos Balan
 
Json Web Token - JWT
Prashant Walke
 
Authentication
soon
 
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
Masato Kinugawa
 
Angular - Chapter 4 - Data and Event Handling
WebStackAcademy
 
XSS and CSRF with HTML5
Shreeraj Shah
 
Cross Site Scripting
Ali Mattash
 
Pentesting GraphQL Applications
Neelu Tripathy
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
 
The WAF book (Web App Firewall )
Lior Rotkovitch
 
Burp suite
Yashar Shahinzadeh
 
Basics of Server Side Template Injection
Vandana Verma
 
Django Introduction & Tutorial
之宇 趙
 
Codeinjection
Nitish Kumar
 
Sql injection bypassing hand book blackrose
Noaman Aziz
 
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
Angular Notes.pdf
sagarpal60
 
Java Spring
AathikaJava
 
Ad

Viewers also liked (20)

PPTX
Django Web Application Security
levigross
 
KEY
Django In The Real World
Jacob Kaplan-Moss
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
PDF
12 tips on Django Best Practices
David Arcos
 
PDF
A quick python_tour
cghtkh
 
KEY
Capybara
Mona Soni
 
PDF
Outside-In Development With Cucumber
Ben Mabey
 
KEY
Make It Cooler: Using Decentralized Version Control
indiver
 
PDF
Introduction To Django (Strange Loop 2011)
Jacob Kaplan-Moss
 
PPTX
Prepare for JDK 9
haochenglee
 
KEY
Introduction to Django
James Casey
 
PPT
Introduction to Git for developers
Dmitry Guyvoronsky
 
PPTX
Flask and Paramiko for Python VA
Enrique Valenzuela
 
PDF
Django rest framework in 20 minuten
Andi Albrecht
 
PPTX
Django deployment best practices
Erik LaBianca
 
PDF
Ansible on AWS
Diego Pacheco
 
KEY
Do more than one thing at the same time, the Python way
Jaime Buelta
 
PDF
Towards Continuous Deployment with Django
Roger Barnes
 
PDF
Pythonic Deployment with Fabric 0.9
Corey Oordt
 
PDF
Django REST Framework
Load Impact
 
Django Web Application Security
levigross
 
Django In The Real World
Jacob Kaplan-Moss
 
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
12 tips on Django Best Practices
David Arcos
 
A quick python_tour
cghtkh
 
Capybara
Mona Soni
 
Outside-In Development With Cucumber
Ben Mabey
 
Make It Cooler: Using Decentralized Version Control
indiver
 
Introduction To Django (Strange Loop 2011)
Jacob Kaplan-Moss
 
Prepare for JDK 9
haochenglee
 
Introduction to Django
James Casey
 
Introduction to Git for developers
Dmitry Guyvoronsky
 
Flask and Paramiko for Python VA
Enrique Valenzuela
 
Django rest framework in 20 minuten
Andi Albrecht
 
Django deployment best practices
Erik LaBianca
 
Ansible on AWS
Diego Pacheco
 
Do more than one thing at the same time, the Python way
Jaime Buelta
 
Towards Continuous Deployment with Django
Roger Barnes
 
Pythonic Deployment with Fabric 0.9
Corey Oordt
 
Django REST Framework
Load Impact
 
Ad

Similar to Two scoops of Django - Security Best Practices (20)

PPT
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
PDF
Dennis Byrne - Full Stack Python Security_ Cryptography, TLS, and attack resi...
ngTrm19
 
PPTX
Pentesting for startups
levigross
 
PPTX
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 
PDF
The net is dark and full of terrors - James Bennett
Leo Zhou
 
DOCX
What is Full Stack with Django and how to start learning It.docx
Technogeeks
 
PPTX
ISO 27k talk for django meet up
Viren Rajput
 
PDF
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 
PDF
«(Без)опасный Python», Иван Цыганов, Positive Technologies
it-people
 
PDF
(Un)safe Python
Ivan Tsyganov
 
PDF
Full Stack Python Security Cryptography TLS And Attack Resistance 1st Edition...
saaricosh
 
PDF
Client Server Security with Flask and iOS
Make School
 
PDF
Download full ebook of Mastering Django Core Nigel George instant download pdf
ajiyalovelu
 
KEY
What's new in Django 1.2?
Jacob Kaplan-Moss
 
PDF
Django User Management & Social Authentication
Spin Lai
 
PPTX
Django Level Five Django Level Five.pptx
realacmesoftwarelab
 
PDF
Django at Scale
bretthoerner
 
PDF
Django
Nam Dang
 
PPTX
Security: Odoo Code Hardening
Odoo
 
PDF
What the heck went wrong?
Andy McKay
 
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Dennis Byrne - Full Stack Python Security_ Cryptography, TLS, and attack resi...
ngTrm19
 
Pentesting for startups
levigross
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 
The net is dark and full of terrors - James Bennett
Leo Zhou
 
What is Full Stack with Django and how to start learning It.docx
Technogeeks
 
ISO 27k talk for django meet up
Viren Rajput
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 
«(Без)опасный Python», Иван Цыганов, Positive Technologies
it-people
 
(Un)safe Python
Ivan Tsyganov
 
Full Stack Python Security Cryptography TLS And Attack Resistance 1st Edition...
saaricosh
 
Client Server Security with Flask and iOS
Make School
 
Download full ebook of Mastering Django Core Nigel George instant download pdf
ajiyalovelu
 
What's new in Django 1.2?
Jacob Kaplan-Moss
 
Django User Management & Social Authentication
Spin Lai
 
Django Level Five Django Level Five.pptx
realacmesoftwarelab
 
Django at Scale
bretthoerner
 
Django
Nam Dang
 
Security: Odoo Code Hardening
Odoo
 
What the heck went wrong?
Andy McKay
 

Recently uploaded (20)

PPT
chapter01_java_programming_object_oriented
mjmansoori54
 
PDF
solman-7.0-ehp1-sp21-incident-management
Giuseppe Caselli
 
PDF
C language slides for c programming book by ANSI
sharmatribhuvnesh
 
PDF
Enscape 3D Crack + With 2025 Activation Key free
bobykhan786g
 
PDF
KidsTale AI Review - Create Magical Kids’ Story Videos in 2 Minutes.pdf
THEMESMO
 
PPTX
SIH2024_IDEA_dy_dx_deepfakedetection.pptx
namiichan101108
 
PDF
IT Advisory Services | Alphavima Technologies – Microsoft Partner
babufastdeals
 
PDF
How to Write Automated Test Scripts Using Selenium.pdf
kalichargn70th171
 
PDF
MaterialX Virtual Town Hall - August 2025
AcademySoftwareFoundation
 
PDF
OpenColorIO Virtual Town Hall - August 2025
AcademySoftwareFoundation
 
PDF
Canva Desktop App With Crack Free Download 2025?
henryc1122g
 
PPTX
ESDS_SAP Application Cloud Offerings.pptx
AAlam20
 
PDF
OpenAssetIO Virtual Town Hall - August 2025.pdf
AcademySoftwareFoundation
 
PPTX
SAP Business AI_L1 Overview_EXTERNAL.pptx
AAlam20
 
PPTX
MCP empowers AI Agents from Zero to Production
innovaterz
 
PPTX
TRAVEL SUPPLIER API INTEGRATION | XML BOOKING ENGINE
philipnathen82
 
PPTX
Independent Consultants’ Biggest Challenges in ERP Projects – and How Apagen ...
SatishKumar2651
 
PDF
DOWNLOAD—IOBit Uninstaller Pro Crack Download Free
henryc1122g
 
PPTX
Comprehensive Guide to Digital Image Processing Concepts and Applications
ashritha03102004
 
PDF
10 Mistakes Agile Project Managers Still Make
Sahil Aggarwal
 
chapter01_java_programming_object_oriented
mjmansoori54
 
solman-7.0-ehp1-sp21-incident-management
Giuseppe Caselli
 
C language slides for c programming book by ANSI
sharmatribhuvnesh
 
Enscape 3D Crack + With 2025 Activation Key free
bobykhan786g
 
KidsTale AI Review - Create Magical Kids’ Story Videos in 2 Minutes.pdf
THEMESMO
 
SIH2024_IDEA_dy_dx_deepfakedetection.pptx
namiichan101108
 
IT Advisory Services | Alphavima Technologies – Microsoft Partner
babufastdeals
 
How to Write Automated Test Scripts Using Selenium.pdf
kalichargn70th171
 
MaterialX Virtual Town Hall - August 2025
AcademySoftwareFoundation
 
OpenColorIO Virtual Town Hall - August 2025
AcademySoftwareFoundation
 
Canva Desktop App With Crack Free Download 2025?
henryc1122g
 
ESDS_SAP Application Cloud Offerings.pptx
AAlam20
 
OpenAssetIO Virtual Town Hall - August 2025.pdf
AcademySoftwareFoundation
 
SAP Business AI_L1 Overview_EXTERNAL.pptx
AAlam20
 
MCP empowers AI Agents from Zero to Production
innovaterz
 
TRAVEL SUPPLIER API INTEGRATION | XML BOOKING ENGINE
philipnathen82
 
Independent Consultants’ Biggest Challenges in ERP Projects – and How Apagen ...
SatishKumar2651
 
DOWNLOAD—IOBit Uninstaller Pro Crack Download Free
henryc1122g
 
Comprehensive Guide to Digital Image Processing Concepts and Applications
ashritha03102004
 
10 Mistakes Agile Project Managers Still Make
Sahil Aggarwal
 

Two scoops of Django - Security Best Practices

  • 1. Two Scoops of Django Security Best Practices Spin Lai
  • 3. I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
  • 4. I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
  • 5. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY !
  • 6. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOW_HOSTS SECRET_KEY ! $ python manage.py --settings=[setting path] $ django-admin.py --settings=[setting path] $ export DJANGO_SETTINGS_MODULE=[setting path]
  • 7. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! DEBUG = False ! TEMPLATE_DEBUG = False
  • 8. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! # Must be set when DEBUG = False ALLOWED_HOSTS = [ 'localhost', 'www.example.com', '.example.com', '*' # Avoid ! ]
  • 9. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! ‣ Configuration values, not code. ‣ DO NOT keep them in version control. ‣ Use environment variables.
  • 10. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! ! def get_env_variable(varname): try: return os.environ[varname] except KeyError: msg = "Set the %s environment variable" % var_name raise ImporperlyConfigured(msg)
  • 11. I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
  • 12. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 13. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation ‣ Django by default escapes specific characters ‣ Be careful when using is_safe attribute ‣ Be very careful when storing HTML in Database
  • 14. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 15. CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
  • 16. CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() ‣ Random token value by CsrfViewMiddleware (CSRF cookie) ‣ `csrf_token` template tag generate hidden input ‣ Every request calls django.middleware.csrf.get_token() ‣ Compare CSRF cookie with `csrfmiddlewaretoken` value ‣ With HTTPS, CsrfViewMiddleWare will check referer header
  • 17. CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() ‣ Pass CSRF token as POST data with every POST request ‣ Set a custom `X-CSRFToken` header on each request ‣ CSRF cookie might not exist without `csrf_token` tag
  • 18. CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() var origSync = Backbone.sync; Backbone.sync = function (method, model, options) { options.beforeSend = function (xhr) { xhr.setRequestHeader('X-CSRFToken', $.cookie('csrftoken')); }; ! return origSync(method, model, options); };
  • 19. CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
  • 20. CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
  • 21. CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
  • 22. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 23. Injection protection • Script Injection • SQL Injection
  • 24. Injection protection • Script Injection • SQL Injection ‣Beware of the eval(), exec() and execfile() ‣DO NOT use `pickle` module to serialize/deserialize data. ‣Only use safe_load() in PyYAML
  • 25. Injection protection • Script Injection • SQL Injection ‣ Django Queryset escape varaibles automatically ‣ Be careful to escape raw SQL properly ‣ Exercise caution when using extra()
  • 26. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 27. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support
  • 28. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support Whether or not a resource is allowed to load within a frame or iframe
  • 29. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support MIDDLEWARE_CLASSES = ( ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... )
  • 30. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support # Default X_FRAME_OPTIONS = 'SAMEORIGIN' ! X_FRAME_OPTIONS = 'DENY'
  • 31. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support
  • 32. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support ‣ Internet Explorer 8+ ‣ Firefox 3.6.9+ ‣ Opera 10.5+ ‣ Safari 4+ ‣ Chrome 4.1+
  • 33. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 34. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages
  • 35. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣ Web server configuration ‣ Django middleware ‣ SSL certificate from reputable source
  • 36. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages SECURE_PROXY_SSL_HEADER = False ! $ export HTTPS=on
  • 37. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages SESSION_COOKIE_SECURE = True ! CSRF_COOKIE_SECURE = True
  • 38. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣Redirect HTTP links to HTTPS ‣Web server level configuration ‣HSTS-compliant browsers
  • 39. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages Strict-Transport-Security: max-age=31536000, includeSubDomains
  • 40. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣ django-sslify ‣ django-secure ‣ django-hstsmiddleware
  • 41. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 42. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
  • 43. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
  • 44. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor <algorithm>$<iteration>$<salt>$<hash>
  • 45. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', 'django.contrib.auth.hashers.MD5PasswordHasher', 'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher', 'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher', 'django.contrib.auth.hashers.CryptPasswordHasher', )
  • 46. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • bcrypt • Increase work factor
  • 47. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
  • 48. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 49. Data Validation • Django Forms • User-Uploaded Content
  • 50. Data Validation • Django Forms • User-Uploaded Content ‣ Designed to validate Python dictionaries ‣ Not only for HTTP POST request ‣ DO NOT use ModelForms.Meta.exclude ‣ Use ModelForms.Meta.fields instead
  • 51. Data Validation • Django Forms • User-Uploaded Content from django import forms from .models import Store ! class StoreForm(forms.ModelForm): ! class Meta: model = Store # Don't Do this!! excludes = ("pk", "slug", "modified")
  • 52. Data Validation • Django Forms • User-Uploaded Content from django import forms from .models import Store ! class StoreForm(forms.ModelForm): ! class Meta: model = Store # Explicitly specifying what we want fields = ("title", "address", "email")
  • 53. Data Validation • Django Forms • User-Uploaded Content ‣ Limit upload in web server ‣ FileField / ImageField ‣ python-magic ‣ Validate with specific file type library
  • 54. Data Validation • Django Forms • User-Uploaded Content from django.utils.image import Image ! try: Image.open(file).verify() except Exception: # Pillow (or PIL) doesn't recognize it as an image. six.reraise(ValidationError, ValidationError( self.error_messages['invalid_image'], code='invalid_image', ), sys.exc_info()[2])
  • 55. I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
  • 56. Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
  • 57. Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
  • 58. Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
  • 59. Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages ‣ Web server configuration ‣ Django middleware
  • 60. Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
  • 61. Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
  • 62. Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages ‣ django-admin-honeypot ‣ django-axes
  • 63. I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
  • 64. What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 65. What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 66. What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date ‣ PCI-DSS Security Standards ‣ Sufficient Time/Resource/Funds ‣ Using 3rd-Party Services ‣ Beware of Open Source Solutions
  • 67. What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date ‣ Check access/error logs regularly ‣ Install monitoring tools
  • 68. What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 69. What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 70. What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 71. What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 72. What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 73. Keep Things Up-to-Date • Dependencies • Security Practices
  • 74. Keep Things Up-to-Date • Dependencies • Security Practiceshttps://www.djangoproject.com/weblog/
  • 75. Keep Things Up-to-Date • Dependencies • Security Practices
  • 76. Keep Things Up-to-Date • Dependencies • Security Practices
  • 77. Keep Things Up-to-Date • Dependencies • Security Practices