Django Security Tips

Feb 2016 Update: I’m excited to tell you all that this blog post has been accepted and published on the Django Girls website here, http://blog.djangogirls.org/post/139848320093/django-security-tips-for-beginners#notes

The following is a document I compiled for a friend who was starting with Django.

I have been using Django for the last 2 years and have compiled a list of basics to be taken care of to ensure a secure Django app (this is based on experience, to ensure nobody else repeats the mistakes I’ve made)

Some pointers to begin with:

  1. A basic check – https://www.ponycheckup.com/
  2. Use Django templates to protect yourself against the majority of XSS attacks
  3. It is always better for security, though not always practical in all cases, to deploy your site behind HTTPS (Set up redirection so that requests over HTTP are redirected to HTTPS)
  4. Session security – I used https://github.com/yourlabs/django-session-security for my previous Django app
  5. Ensure DEBUG is set to false in settings.py on production environment
  6. Be very careful with marking views with the csrf_exempt decorator unless it is absolutely necessary

 

Choosing an API framework for Django – http://www.pydanny.com/choosing-an-api-framework-for-django.html

We use DRF at work – http://www.django-rest-framework.org/

 

Must read:
1. http://www.slideshare.net/spinlai/django-workshop-securitybestpractices (overview of what Django helps us with)
2. http://www.djangobook.com/en/2.0/chapter20.html (very informative)

Further reading:
1. https://docs.djangoproject.com/en/1.8/topics/security/
2. http://blog.solidlinks.nl/post/50582466403/a-brief-survey-of-django-security-djangocon-eu
3. https://speakerdeck.com/erik/building-secure-django-websites
4. http://www.slideshare.net/levigross/django-web-application-security

You can rely on answers to common Django problems on Stack overflow (mainly from pydanny and Daniel Roseman)

 

You may want to add some points that I may have missed out in the comments section 🙂

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s