Contribute Media
A thank you to everyone who has made this possible: Read More

Frog and Toad Learn About Django Security

Description

DjangoCon US 2016 - Frog and Toad Learn About Django Security by Philip James

Django Security Talk Notes

Introduction Philip James, how long I’ve worked with Python and Django, background at EB Introduction to the story, and the characters Safe-ish: Talk about Django’s Security Model and how it tries to provide sane defaults for developers Run-through of the parts of the django security model

XSS (brief definition)

Django escapes characters by default

How?

How do you turn it off? Mark Safe, | n, safe

CSRF (brief definition)

Django has middleware that checks POST requests for a token

How?

Token is stored in cookie, also

Could be better? Make cookie httponly

Side-effect: harder to JS. Also, only an issue if you’re already owned, so maybe not an issue?

How to get around it? csrf_exempt

SQLi (brief definition)

Django’s ORM makes clean sql, (even when given bad data?)

How?

How to get around it: extra()/RawSQL()

Clickjacking protection (brief definition)

Django has middleware that sets headers browsers are supposed to respect

Which browsers? https://docs.djangoproject.com/en/1.8/ref/clickjacking/#limitations

How to get around it: xframe_options_exempt, xframe_options_deny, xframe_options_sameorigin

HTTPS

This one is less "out of the box" than the others, so won’t be talked about here. Host Header Validation (brief definition)

Django verifies against allowed hosts in settings

How? get_host()

Session security

What are django sessions?

Cookie-based by design

How can we make this better?

Overall: Vigilance. Be aware of uses of this within your product

XSS, CSRF, SQLi, Clickjacking: Have them all enabled, write rules to check for "escape-hatch" functions

HTTPS:

Use it!

Set the correct settings

SECURE_SSL_REDIRECT: How does it work?

Other things

django-secure

https://www.ponycheckup.com/

http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/

Improve this page