8. Django Configurations
Designate Settings
DEBUG / TEMPLATE_DEBUG
ALLOWED_HOSTS
SECRET_KEY
!
# Must be set when DEBUG = False
ALLOWED_HOSTS = [
'localhost',
'www.example.com',
'.example.com',
'*' # Avoid !
]
9. Django Configurations
Designate Settings
DEBUG / TEMPLATE_DEBUG
ALLOWED_HOSTS
SECRET_KEY
!
‣ Configuration values, not code.
‣ DO NOT keep them in version control.
‣ Use environment variables.
12. Django Security Features
XSS Protection
CSRF Protection
Injection Protection
Clickjacking Protection
SSL / HTTPS
Password Storage
Data Validation
13. Django Security Features
XSS Protection
CSRF Protection
Injection Protection
Clickjacking Protection
SSL / HTTPS
Password Storage
Data Validation
‣ Django by default escapes specific characters
‣ Be careful when using is_safe attribute
‣ Be very careful when storing HTML in Database
14. Django Security Features
XSS Protection
CSRF Protection
Injection Protection
Clickjacking Protection
SSL / HTTPS
Password Storage
Data Validation
15. CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than @csrf_protect
• Be careful with @csrf_exempt
16. CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than csrf_protect()
• Be careful with csrf_exempt()
‣ Random token value by CsrfViewMiddleware (CSRF cookie)
‣ `csrf_token` template tag generate hidden input
‣ Every request calls django.middleware.csrf.get_token()
‣ Compare CSRF cookie with `csrfmiddlewaretoken` value
‣ With HTTPS, CsrfViewMiddleWare will check referer header
17. CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than csrf_protect()
• Be careful with csrf_exempt()
‣ Pass CSRF token as POST data with every POST request
‣ Set a custom `X-CSRFToken` header on each request
‣ CSRF cookie might not exist without `csrf_token` tag
18. CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than csrf_protect()
• Be careful with csrf_exempt()
var origSync = Backbone.sync;
Backbone.sync = function (method, model, options) {
options.beforeSend = function (xhr) {
xhr.setRequestHeader('X-CSRFToken', $.cookie('csrftoken'));
};
!
return origSync(method, model, options);
};
19. CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than @csrf_protect
• Be careful with @csrf_exempt
20. CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than @csrf_protect
• Be careful with @csrf_exempt
21. CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than @csrf_protect
• Be careful with @csrf_exempt
22. Django Security Features
XSS Protection
CSRF Protection
Injection Protection
Clickjacking Protection
SSL / HTTPS
Password Storage
Data Validation
24. Injection protection
• Script Injection
• SQL Injection
‣Beware of the eval(), exec() and execfile()
‣DO NOT use `pickle` module to serialize/deserialize data.
‣Only use safe_load() in PyYAML
25. Injection protection
• Script Injection
• SQL Injection
‣ Django Queryset escape varaibles automatically
‣ Be careful to escape raw SQL properly
‣ Exercise caution when using extra()
26. Django Security Features
XSS Protection
CSRF Protection
Injection Protection
Clickjacking Protection
SSL / HTTPS
Password Storage
Data Validation
28. Clickjacking protection
• `X-Frame-Options` HTTP header
• Configurations
• @xframe_options_exempt
• Browsers Support
Whether or not a resource is allowed to load
within a frame or iframe
50. Data Validation
• Django Forms
• User-Uploaded Content
‣ Designed to validate Python dictionaries
‣ Not only for HTTP POST request
‣ DO NOT use ModelForms.Meta.exclude
‣ Use ModelForms.Meta.fields instead
51. Data Validation
• Django Forms
• User-Uploaded Content
from django import forms
from .models import Store
!
class StoreForm(forms.ModelForm):
!
class Meta:
model = Store
# Don't Do this!!
excludes = ("pk", "slug", "modified")
52. Data Validation
• Django Forms
• User-Uploaded Content
from django import forms
from .models import Store
!
class StoreForm(forms.ModelForm):
!
class Meta:
model = Store
# Explicitly specifying what we want
fields = ("title", "address", "email")
53. Data Validation
• Django Forms
• User-Uploaded Content
‣ Limit upload in web server
‣ FileField / ImageField
‣ python-magic
‣ Validate with specific file type library
54. Data Validation
• Django Forms
• User-Uploaded Content
from django.utils.image import Image
!
try:
Image.open(file).verify()
except Exception:
# Pillow (or PIL) doesn't recognize it as an image.
six.reraise(ValidationError, ValidationError(
self.error_messages['invalid_image'],
code='invalid_image',
), sys.exc_info()[2])
56. Django Admin
Change the Default Admin URL
Access Admin via HTTPS
Limited Access Based on IP
Use `allow_tags` attribute with Caution
Admin Docs
Packages
57. Django Admin
Change the Default Admin URL
Access Admin via HTTPS
Limited Access Based on IP
Use `allow_tags` attribute with Caution
Admin Docs
Packages
58. Django Admin
Change the Default Admin URL
Access Admin via HTTPS
Limited Access Based on IP
Use `allow_tags` attribute with Caution
Admin Docs
Packages
59. Django Admin
Change the Default Admin URL
Access Admin via HTTPS
Limited Access Based on IP
Use `allow_tags` attribute with Caution
Admin Docs
Packages
‣ Web server configuration
‣ Django middleware
60. Django Admin
Change the Default Admin URL
Access Admin via HTTPS
Limited Access Based on IP
Use `allow_tags` attribute with Caution
Admin Docs
Packages
61. Django Admin
Change the Default Admin URL
Access Admin via HTTPS
Limited Access Based on IP
Use `allow_tags` attribute with Caution
Admin Docs
Packages
62. Django Admin
Change the Default Admin URL
Access Admin via HTTPS
Limited Access Based on IP
Use `allow_tags` attribute with Caution
Admin Docs
Packages
‣ django-admin-honeypot
‣ django-axes
64. What else ?
Harden your servers
NEVER store credit card data
Server monitoring
Vulnerability reporting page
Keep things up-to-date
65. What else ?
Harden your servers
NEVER store credit card data
Server monitoring
Vulnerability reporting page
Keep things up-to-date
66. What else ?
Harden your servers
NEVER store credit card data
Server monitoring
Vulnerability reporting page
Keep things up-to-date
‣ PCI-DSS Security Standards
‣ Sufficient Time/Resource/Funds
‣ Using 3rd-Party Services
‣ Beware of Open Source Solutions
67. What else ?
Harden your servers
NEVER store credit card data
Server monitoring
Vulnerability reporting page
Keep things up-to-date
‣ Check access/error logs regularly
‣ Install monitoring tools
68. What else ?
Harden your servers
NEVER store credit card data
Server monitoring
Vulnerability reporting page
Keep things up-to-date
69. What else ?
Harden your servers
NEVER store credit card data
Server monitoring
Vulnerability reporting page
Keep things up-to-date
70. What else ?
Harden your servers
NEVER store credit card data
Server monitoring
Vulnerability reporting page
Keep things up-to-date
71. What else ?
Harden your servers
NEVER store credit card data
Server monitoring
Vulnerability reporting page
Keep things up-to-date
72. What else ?
Harden your servers
NEVER store credit card data
Server monitoring
Vulnerability reporting page
Keep things up-to-date