How we found our security best practices (and what they are)

Summary

Mozilla takes data security very seriously. We have AppSec, OpSec, and InfraSec teams, and our web developers have baked our security best practices into documentation and a Django app called Funfactory. Hear how we came to those best practices, what they are, and how to follow them.

Description

Privacy and security are key parts of Mozilla's mission, and we build some of the largest Django applications on the web, so being at the absolutely forefront of security is crucial to us. And having a great user experience is, too. So over the past few years, we've developed a number of proposals, tools --like Bleach and django-ratelimit--and best practices, and we've wrapped these up into our application template Playdoh and an app called Funfactory.

I'll share those best practices and their motivations. We'll also go over a number of tools, settings, and even some fairly new web standard proposals (with tools, of course) to help you build the most secure Django applications you can, at whatever scale you're building.