Spin Lai, profile picture
Uploaded bySpin Lai
5,933 views

Two scoops of Django - Security Best Practices

The document outlines best practices for Django security, covering configurations, security features, and admin access. Key areas of focus include preventing XSS, CSRF, SQL injection, and clickjacking, as well as proper password storage and data validation. Recommendations also emphasize server hardening, timely updates, and careful management of environment variables.

Embed presentation

Downloaded 172 times
Two Scoops of Django Security Best Practices Spin Lai
I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY !
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOW_HOSTS SECRET_KEY ! $ python manage.py --settings=[setting path] $ django-admin.py --settings=[setting path] $ export DJANGO_SETTINGS_MODULE=[setting path]
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! DEBUG = False ! TEMPLATE_DEBUG = False
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! # Must be set when DEBUG = False ALLOWED_HOSTS = [ 'localhost', 'www.example.com', '.example.com', '*' # Avoid ! ]
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! ‣ Configuration values, not code. ‣ DO NOT keep them in version control. ‣ Use environment variables.
Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! ! def get_env_variable(varname): try: return os.environ[varname] except KeyError: msg = "Set the %s environment variable" % var_name raise ImporperlyConfigured(msg)
I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation ‣ Django by default escapes specific characters ‣ Be careful when using is_safe attribute ‣ Be very careful when storing HTML in Database
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() ‣ Random token value by CsrfViewMiddleware (CSRF cookie) ‣ `csrf_token` template tag generate hidden input ‣ Every request calls django.middleware.csrf.get_token() ‣ Compare CSRF cookie with `csrfmiddlewaretoken` value ‣ With HTTPS, CsrfViewMiddleWare will check referer header
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() ‣ Pass CSRF token as POST data with every POST request ‣ Set a custom `X-CSRFToken` header on each request ‣ CSRF cookie might not exist without `csrf_token` tag
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() var origSync = Backbone.sync; Backbone.sync = function (method, model, options) { options.beforeSend = function (xhr) { xhr.setRequestHeader('X-CSRFToken', $.cookie('csrftoken')); }; ! return origSync(method, model, options); };
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
CSRF protection • Django CSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Injection protection • Script Injection • SQL Injection
Injection protection • Script Injection • SQL Injection ‣Beware of the eval(), exec() and execfile() ‣DO NOT use `pickle` module to serialize/deserialize data. ‣Only use safe_load() in PyYAML
Injection protection • Script Injection • SQL Injection ‣ Django Queryset escape varaibles automatically ‣ Be careful to escape raw SQL properly ‣ Exercise caution when using extra()
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support Whether or not a resource is allowed to load within a frame or iframe
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support MIDDLEWARE_CLASSES = ( ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... )
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support # Default X_FRAME_OPTIONS = 'SAMEORIGIN' ! X_FRAME_OPTIONS = 'DENY'
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support
Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt • Browsers Support ‣ Internet Explorer 8+ ‣ Firefox 3.6.9+ ‣ Opera 10.5+ ‣ Safari 4+ ‣ Chrome 4.1+
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣ Web server configuration ‣ Django middleware ‣ SSL certificate from reputable source
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages SECURE_PROXY_SSL_HEADER = False ! $ export HTTPS=on
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages SESSION_COOKIE_SECURE = True ! CSRF_COOKIE_SECURE = True
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣Redirect HTTP links to HTTPS ‣Web server level configuration ‣HSTS-compliant browsers
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages Strict-Transport-Security: max-age=31536000, includeSubDomains
SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣ django-sslify ‣ django-secure ‣ django-hstsmiddleware
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor <algorithm>$<iteration>$<salt>$<hash>
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', 'django.contrib.auth.hashers.MD5PasswordHasher', 'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher', 'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher', 'django.contrib.auth.hashers.CryptPasswordHasher', )
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • bcrypt • Increase work factor
Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Data Validation • Django Forms • User-Uploaded Content
Data Validation • Django Forms • User-Uploaded Content ‣ Designed to validate Python dictionaries ‣ Not only for HTTP POST request ‣ DO NOT use ModelForms.Meta.exclude ‣ Use ModelForms.Meta.fields instead
Data Validation • Django Forms • User-Uploaded Content from django import forms from .models import Store ! class StoreForm(forms.ModelForm): ! class Meta: model = Store # Don't Do this!! excludes = ("pk", "slug", "modified")
Data Validation • Django Forms • User-Uploaded Content from django import forms from .models import Store ! class StoreForm(forms.ModelForm): ! class Meta: model = Store # Explicitly specifying what we want fields = ("title", "address", "email")
Data Validation • Django Forms • User-Uploaded Content ‣ Limit upload in web server ‣ FileField / ImageField ‣ python-magic ‣ Validate with specific file type library
Data Validation • Django Forms • User-Uploaded Content from django.utils.image import Image ! try: Image.open(file).verify() except Exception: # Pillow (or PIL) doesn't recognize it as an image. six.reraise(ValidationError, ValidationError( self.error_messages['invalid_image'], code='invalid_image', ), sys.exc_info()[2])
I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages ‣ Web server configuration ‣ Django middleware
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages ‣ django-admin-honeypot ‣ django-axes
I. Django Configurations II. Django Security Features III. Django Admin IV. What Else ?
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date ‣ PCI-DSS Security Standards ‣ Sufficient Time/Resource/Funds ‣ Using 3rd-Party Services ‣ Beware of Open Source Solutions
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date ‣ Check access/error logs regularly ‣ Install monitoring tools
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ? Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
Keep Things Up-to-Date • Dependencies • Security Practices
Keep Things Up-to-Date • Dependencies • Security Practiceshttps://www.djangoproject.com/weblog/
Keep Things Up-to-Date • Dependencies • Security Practices
Keep Things Up-to-Date • Dependencies • Security Practices
Keep Things Up-to-Date • Dependencies • Security Practices
Thank You

More Related Content

PPTX
Django Web Application Security
bylevigross
 
PPT
03 internetworking
bybajulusiraj
 
PPTX
Digital payment merchants
byConfederation of Indian Industry
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
PDF
A quick python_tour
bycghtkh
 
KEY
Capybara
byMona Soni
 
PDF
12 tips on Django Best Practices
byDavid Arcos
 
KEY
Django In The Real World
byJacob Kaplan-Moss
 
Django Web Application Security
bylevigross
 
03 internetworking
bybajulusiraj
 
Digital payment merchants
byConfederation of Indian Industry
 
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
A quick python_tour
bycghtkh
 
Capybara
byMona Soni
 
12 tips on Django Best Practices
byDavid Arcos
 
Django In The Real World
byJacob Kaplan-Moss
 

Viewers also liked

PDF
Django in the Real World
byJacob Kaplan-Moss
 
KEY
Introduction to Django
byJames Casey
 
KEY
Scaling Django
byMike Malone
 
PDF
Jenkins CI
byhaochenglee
 
PPT
Introduction to Git for developers
byDmitry Guyvoronsky
 
PPTX
Flask and Paramiko for Python VA
byEnrique Valenzuela
 
PDF
Life in a Queue - Using Message Queue with django
byTareque Hossain
 
PDF
Introduction To Django (Strange Loop 2011)
byJacob Kaplan-Moss
 
PPTX
Django deployment best practices
byErik LaBianca
 
PDF
Pythonic Deployment with Fabric 0.9
byCorey Oordt
 
PDF
Django rest framework in 20 minuten
byAndi Albrecht
 
PDF
Towards Continuous Deployment with Django
byRoger Barnes
 
PDF
Django REST Framework
byLoad Impact
 
PDF
Building a platform with Django, Docker, and Salt
bybaremetal
 
KEY
Make It Cooler: Using Decentralized Version Control
byindiver
 
PDF
Ansible on AWS
byDiego Pacheco
 
PPTX
Prepare for JDK 9
byhaochenglee
 
KEY
Do more than one thing at the same time, the Python way
byJaime Buelta
 
PDF
The WHY behind TDD/BDD and the HOW with RSpec
byBen Mabey
 
PDF
Outside-In Development With Cucumber
byBen Mabey
 
Django in the Real World
byJacob Kaplan-Moss
 
Introduction to Django
byJames Casey
 
Scaling Django
byMike Malone
 
Jenkins CI
byhaochenglee
 
Introduction to Git for developers
byDmitry Guyvoronsky
 
Flask and Paramiko for Python VA
byEnrique Valenzuela
 
Life in a Queue - Using Message Queue with django
byTareque Hossain
 
Introduction To Django (Strange Loop 2011)
byJacob Kaplan-Moss
 
Django deployment best practices
byErik LaBianca
 
Pythonic Deployment with Fabric 0.9
byCorey Oordt
 
Django rest framework in 20 minuten
byAndi Albrecht
 
Towards Continuous Deployment with Django
byRoger Barnes
 
Django REST Framework
byLoad Impact
 
Building a platform with Django, Docker, and Salt
bybaremetal
 
Make It Cooler: Using Decentralized Version Control
byindiver
 
Ansible on AWS
byDiego Pacheco
 
Prepare for JDK 9
byhaochenglee
 
Do more than one thing at the same time, the Python way
byJaime Buelta
 
The WHY behind TDD/BDD and the HOW with RSpec
byBen Mabey
 
Outside-In Development With Cucumber
byBen Mabey
 

Similar to Two scoops of Django - Security Best Practices

KEY
Authentication
bysoon
 
PDF
Dennis Byrne - Full Stack Python Security_ Cryptography, TLS, and attack resi...
byngTrm19
 
PDF
Django at Scale
bybretthoerner
 
PDF
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
byMichael Pirnat
 
PDF
Download full ebook of Mastering Django Core Nigel George instant download pdf
byajiyalovelu
 
PDF
Django User Management & Social Authentication
bySpin Lai
 
PPTX
ISO 27k talk for django meet up
byViren Rajput
 
PDF
Full Stack Python Security Cryptography TLS And Attack Resistance 1st Edition...
bysaaricosh
 
PPTX
Django Level Five Django Level Five.pptx
byrealacmesoftwarelab
 
PDF
Secure Python Development: Best Practices for APIs & Microservices
byGrapesTech Solutions
 
DOCX
What is Full Stack with Django and how to start learning It.docx
byTechnogeeks
 
KEY
What's new in Django 1.2?
byJacob Kaplan-Moss
 
PPTX
Pentesting for startups
bylevigross
 
PDF
Client Server Security with Flask and iOS
byMake School
 
PPTX
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
bynooralmousa
 
PDF
(Un)safe Python
byIvan Tsyganov
 
PDF
«(Без)опасный Python», Иван Цыганов, Positive Technologies
byit-people
 
PPT
Django (Web Applications that are Secure by Default)
byKishor Kumar
 
PDF
Django
byNam Dang
 
PDF
The net is dark and full of terrors - James Bennett
byLeo Zhou
 
Authentication
bysoon
 
Dennis Byrne - Full Stack Python Security_ Cryptography, TLS, and attack resi...
byngTrm19
 
Django at Scale
bybretthoerner
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
byMichael Pirnat
 
Download full ebook of Mastering Django Core Nigel George instant download pdf
byajiyalovelu
 
Django User Management & Social Authentication
bySpin Lai
 
ISO 27k talk for django meet up
byViren Rajput
 
Full Stack Python Security Cryptography TLS And Attack Resistance 1st Edition...
bysaaricosh
 
Django Level Five Django Level Five.pptx
byrealacmesoftwarelab
 
Secure Python Development: Best Practices for APIs & Microservices
byGrapesTech Solutions
 
What is Full Stack with Django and how to start learning It.docx
byTechnogeeks
 
What's new in Django 1.2?
byJacob Kaplan-Moss
 
Pentesting for startups
bylevigross
 
Client Server Security with Flask and iOS
byMake School
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
bynooralmousa
 
(Un)safe Python
byIvan Tsyganov
 
«(Без)опасный Python», Иван Цыганов, Positive Technologies
byit-people
 
Django (Web Applications that are Secure by Default)
byKishor Kumar
 
Django
byNam Dang
 
The net is dark and full of terrors - James Bennett
byLeo Zhou
 

Recently uploaded

PDF
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
PDF
An Agent Walks Into a Bar... and Meets Another Agent: Multi-Agent Systems in ...
byMaxim Salnikov
 
PPTX
Revolutionizing Application Modernization with AI
byKrzysztofKkol1
 
PDF
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
PDF
Bring AI and build AI agents into your Jakarta EE Apps with LangChain4J-CDI
byBuhake Sindi
 
PDF
DSD-INT 2025 How mangroves and past land-use change are affecting compound fl...
byDeltares
 
PDF
DSD-INT 2025 DevOps - Automated testing and delivery of Delft3D FM - van West...
byDeltares
 
PDF
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
PDF
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
PDF
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
PPTX
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
PDF
Data Integration with Salesforce Bootcamp
byDele Amefo
 
PDF
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
PPTX
Future of Software Testing: AI-Powered Open Source Testing Tools
bySophie Lane
 
PDF
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
PDF
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
PDF
DevOps Monitoring Tools: The 2025 Guide to Performance & Observability
byalexendrascott01
 
PDF
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
PDF
DSD-INT 2025 Understanding the Paraguay River Response to Hard Bottom Dredgin...
byDeltares
 
PPTX
wAIred_LearnwithoutAI_KotlinDevDay_27112025.pptx
bySimonedeGijt
 
Everything You Ever Wanted to Know About Quarkus and LangChain4j
byMarkus Eisele
 
An Agent Walks Into a Bar... and Meets Another Agent: Multi-Agent Systems in ...
byMaxim Salnikov
 
Revolutionizing Application Modernization with AI
byKrzysztofKkol1
 
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
Bring AI and build AI agents into your Jakarta EE Apps with LangChain4J-CDI
byBuhake Sindi
 
DSD-INT 2025 How mangroves and past land-use change are affecting compound fl...
byDeltares
 
DSD-INT 2025 DevOps - Automated testing and delivery of Delft3D FM - van West...
byDeltares
 
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
DSD-INT 2025 Coupling SFINCS to a flood risk model to evaluate the effects of...
byDeltares
 
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
Understanding-ROM-RAM-Cache-and-Buffer-Memory.pptx.pptx
bylata2850
 
Data Integration with Salesforce Bootcamp
byDele Amefo
 
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
Future of Software Testing: AI-Powered Open Source Testing Tools
bySophie Lane
 
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
DevOps Monitoring Tools: The 2025 Guide to Performance & Observability
byalexendrascott01
 
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
DSD-INT 2025 Understanding the Paraguay River Response to Hard Bottom Dredgin...
byDeltares
 
wAIred_LearnwithoutAI_KotlinDevDay_27112025.pptx
bySimonedeGijt
 

Two scoops of Django - Security Best Practices

  • 1.
    Two Scoops ofDjango Security Best Practices Spin Lai
  • 3.
    I. Django Configurations II.Django Security Features III. Django Admin IV. What Else ?
  • 4.
    I. Django Configurations II.Django Security Features III. Django Admin IV. What Else ?
  • 5.
    Django Configurations Designate Settings DEBUG/ TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY !
  • 6.
    Django Configurations Designate Settings DEBUG/ TEMPLATE_DEBUG ALLOW_HOSTS SECRET_KEY ! $ python manage.py --settings=[setting path] $ django-admin.py --settings=[setting path] $ export DJANGO_SETTINGS_MODULE=[setting path]
  • 7.
    Django Configurations Designate Settings DEBUG/ TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! DEBUG = False ! TEMPLATE_DEBUG = False
  • 8.
    Django Configurations Designate Settings DEBUG/ TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! # Must be set when DEBUG = False ALLOWED_HOSTS = [ 'localhost', 'www.example.com', '.example.com', '*' # Avoid ! ]
  • 9.
    Django Configurations Designate Settings DEBUG/ TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! ‣ Configuration values, not code. ‣ DO NOT keep them in version control. ‣ Use environment variables.
  • 10.
    Django Configurations Designate Settings DEBUG/ TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY ! ! def get_env_variable(varname): try: return os.environ[varname] except KeyError: msg = "Set the %s environment variable" % var_name raise ImporperlyConfigured(msg)
  • 11.
    I. Django Configurations II.Django Security Features III. Django Admin IV. What Else ?
  • 12.
    Django Security Features XSSProtection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 13.
    Django Security Features XSSProtection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation ‣ Django by default escapes specific characters ‣ Be careful when using is_safe attribute ‣ Be very careful when storing HTML in Database
  • 14.
    Django Security Features XSSProtection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 15.
    CSRF protection • DjangoCSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
  • 16.
    CSRF protection • DjangoCSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() ‣ Random token value by CsrfViewMiddleware (CSRF cookie) ‣ `csrf_token` template tag generate hidden input ‣ Every request calls django.middleware.csrf.get_token() ‣ Compare CSRF cookie with `csrfmiddlewaretoken` value ‣ With HTTPS, CsrfViewMiddleWare will check referer header
  • 17.
    CSRF protection • DjangoCSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() ‣ Pass CSRF token as POST data with every POST request ‣ Set a custom `X-CSRFToken` header on each request ‣ CSRF cookie might not exist without `csrf_token` tag
  • 18.
    CSRF protection • DjangoCSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() var origSync = Backbone.sync; Backbone.sync = function (method, model, options) { options.beforeSend = function (xhr) { xhr.setRequestHeader('X-CSRFToken', $.cookie('csrftoken')); }; ! return origSync(method, model, options); };
  • 19.
    CSRF protection • DjangoCSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
  • 20.
    CSRF protection • DjangoCSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
  • 21.
    CSRF protection • DjangoCSRF Protection Workflow • CSRF Protection for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt
  • 22.
    Django Security Features XSSProtection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 23.
    Injection protection • ScriptInjection • SQL Injection
  • 24.
    Injection protection • ScriptInjection • SQL Injection ‣Beware of the eval(), exec() and execfile() ‣DO NOT use `pickle` module to serialize/deserialize data. ‣Only use safe_load() in PyYAML
  • 25.
    Injection protection • ScriptInjection • SQL Injection ‣ Django Queryset escape varaibles automatically ‣ Be careful to escape raw SQL properly ‣ Exercise caution when using extra()
  • 26.
    Django Security Features XSSProtection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 27.
    Clickjacking protection • `X-Frame-Options`HTTP header • Configurations • @xframe_options_exempt • Browsers Support
  • 28.
    Clickjacking protection • `X-Frame-Options`HTTP header • Configurations • @xframe_options_exempt • Browsers Support Whether or not a resource is allowed to load within a frame or iframe
  • 29.
    Clickjacking protection • `X-Frame-Options`HTTP header • Configurations • @xframe_options_exempt • Browsers Support MIDDLEWARE_CLASSES = ( ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... )
  • 30.
    Clickjacking protection • `X-Frame-Options`HTTP header • Configurations • @xframe_options_exempt • Browsers Support # Default X_FRAME_OPTIONS = 'SAMEORIGIN' ! X_FRAME_OPTIONS = 'DENY'
  • 31.
    Clickjacking protection • `X-Frame-Options`HTTP header • Configurations • @xframe_options_exempt • Browsers Support
  • 32.
    Clickjacking protection • `X-Frame-Options`HTTP header • Configurations • @xframe_options_exempt • Browsers Support ‣ Internet Explorer 8+ ‣ Firefox 3.6.9+ ‣ Opera 10.5+ ‣ Safari 4+ ‣ Chrome 4.1+
  • 33.
    Django Security Features XSSProtection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 34.
    SSL / HTTPS •HTTPS Everywhere ! • Secure Cookies • HSTS • Packages
  • 35.
    SSL / HTTPS •HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣ Web server configuration ‣ Django middleware ‣ SSL certificate from reputable source
  • 36.
    SSL / HTTPS •HTTPS Everywhere ! • Secure Cookies • HSTS • Packages SECURE_PROXY_SSL_HEADER = False ! $ export HTTPS=on
  • 37.
    SSL / HTTPS •HTTPS Everywhere ! • Secure Cookies • HSTS • Packages SESSION_COOKIE_SECURE = True ! CSRF_COOKIE_SECURE = True
  • 38.
    SSL / HTTPS •HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣Redirect HTTP links to HTTPS ‣Web server level configuration ‣HSTS-compliant browsers
  • 39.
    SSL / HTTPS •HTTPS Everywhere ! • Secure Cookies • HSTS • Packages Strict-Transport-Security: max-age=31536000, includeSubDomains
  • 40.
    SSL / HTTPS •HTTPS Everywhere ! • Secure Cookies • HSTS • Packages ‣ django-sslify ‣ django-secure ‣ django-hstsmiddleware
  • 41.
    Django Security Features XSSProtection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 42.
    Password Storage • PBKDF2+ SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
  • 43.
    Password Storage • PBKDF2+ SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
  • 44.
    Password Storage • PBKDF2+ SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor <algorithm>$<iteration>$<salt>$<hash>
  • 45.
    Password Storage • PBKDF2+ SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', 'django.contrib.auth.hashers.MD5PasswordHasher', 'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher', 'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher', 'django.contrib.auth.hashers.CryptPasswordHasher', )
  • 46.
    Password Storage • PBKDF2+ SHA256 • User.password • PASSWORD_HASHER • bcrypt • Increase work factor
  • 47.
    Password Storage • PBKDF2+ SHA256 • User.password • PASSWORD_HASHER • Use bcrypt • Increase work factor
  • 48.
    Django Security Features XSSProtection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
  • 49.
    Data Validation • DjangoForms • User-Uploaded Content
  • 50.
    Data Validation • DjangoForms • User-Uploaded Content ‣ Designed to validate Python dictionaries ‣ Not only for HTTP POST request ‣ DO NOT use ModelForms.Meta.exclude ‣ Use ModelForms.Meta.fields instead
  • 51.
    Data Validation • DjangoForms • User-Uploaded Content from django import forms from .models import Store ! class StoreForm(forms.ModelForm): ! class Meta: model = Store # Don't Do this!! excludes = ("pk", "slug", "modified")
  • 52.
    Data Validation • DjangoForms • User-Uploaded Content from django import forms from .models import Store ! class StoreForm(forms.ModelForm): ! class Meta: model = Store # Explicitly specifying what we want fields = ("title", "address", "email")
  • 53.
    Data Validation • DjangoForms • User-Uploaded Content ‣ Limit upload in web server ‣ FileField / ImageField ‣ python-magic ‣ Validate with specific file type library
  • 54.
    Data Validation • DjangoForms • User-Uploaded Content from django.utils.image import Image ! try: Image.open(file).verify() except Exception: # Pillow (or PIL) doesn't recognize it as an image. six.reraise(ValidationError, ValidationError( self.error_messages['invalid_image'], code='invalid_image', ), sys.exc_info()[2])
  • 55.
    I. Django Configurations II.Django Security Features III. Django Admin IV. What Else ?
  • 56.
    Django Admin Change theDefault Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
  • 57.
    Django Admin Change theDefault Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
  • 58.
    Django Admin Change theDefault Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
  • 59.
    Django Admin Change theDefault Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages ‣ Web server configuration ‣ Django middleware
  • 60.
    Django Admin Change theDefault Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
  • 61.
    Django Admin Change theDefault Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
  • 62.
    Django Admin Change theDefault Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages ‣ django-admin-honeypot ‣ django-axes
  • 63.
    I. Django Configurations II.Django Security Features III. Django Admin IV. What Else ?
  • 64.
    What else ? Hardenyour servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 65.
    What else ? Hardenyour servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 66.
    What else ? Hardenyour servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date ‣ PCI-DSS Security Standards ‣ Sufficient Time/Resource/Funds ‣ Using 3rd-Party Services ‣ Beware of Open Source Solutions
  • 67.
    What else ? Hardenyour servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date ‣ Check access/error logs regularly ‣ Install monitoring tools
  • 68.
    What else ? Hardenyour servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 69.
    What else ? Hardenyour servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 70.
    What else ? Hardenyour servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 71.
    What else ? Hardenyour servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 72.
    What else ? Hardenyour servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
  • 73.
    Keep Things Up-to-Date •Dependencies • Security Practices
  • 74.
    Keep Things Up-to-Date •Dependencies • Security Practiceshttps://www.djangoproject.com/weblog/
  • 75.
    Keep Things Up-to-Date •Dependencies • Security Practices
  • 76.
    Keep Things Up-to-Date •Dependencies • Security Practices
  • 77.
    Keep Things Up-to-Date •Dependencies • Security Practices
  • 78.