Before all I use Django 2.1 + Python 3.6
I have to admit that Django is a framework that makes the life of a developer a lot easier even if it is relative.
Now that we've written a Django project, done the tests, deployed its web app;
Questions:
What are the security points that are not particularly covered by
Django?
Can we have a vulnerabilities checklist related to sites written with
Django?
What are the important security tests for ensured the stability of an app written in Django?
Use Observatory by Mozilla site to scan the security status of your site. The site also includes third-party scanners which test other security aspects of your site.
Here's an example of the scan results of a given site:
The best grade to get is A+ (scores can even exceed 100%), but don't be surprised a site scores a straight F (fail), even though the site has passed the basic deployment checklist.
To improve your site security, ensure you have these settings in your settings.py:
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'Strict'
SESSION_COOKIE_SECURE = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_SSL_REDIRECT = True
X_FRAME_OPTIONS = 'DENY'
SECURE_HSTS_SECONDS = 300 # set low, but when site is ready for deployment, set to at least 15768000 (6 months)
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
Then use the SRI Hash Generator to ensure all your scripts are loaded securely from third-party sites.
Finally, the most challenging and time-consuming to implement is the Content Security Policy (CSP), particularly if the site is large, contains a lot of third-party code, and has a lot of inline scripts and styles scattered all over the project. To make the task easier, you can install Mozilla's django-csp and use your browser's console to track the security violations in your code. You will also need to fill in the following settings in your settings.py:
CSP_DEFAULT_SRC = ("'none'",)
CSP_STYLE_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'",)
CSP_FONT_SRC = ("'self'",)
CSP_IMG_SRC = ("'self'",)
This site helps to explain about CSP and what to do with inline scripts.
Optionally, you can install django-referrer-policy to set the Referrer-Policy header for added security (and higher grade!).
I am a beginner myself, and all the above are based on my research and what I did to improve my site security.
one of the security check you can perform is Deployment checklist
Run
manage.py check --deploy
other security check can be referred in official docs
Related
I have a Django API that is being deployed in PythonAnywhere.
For that, I can not let the default option in settings.py as True:
DEBUG=True
However, the app also has a Swagger page using drf-yasg library. For that to work locally, I have to set the debug option as true.
However is being troublesome to maintain it, and I often mistakenly commit it as True to the repository.
Is there anyway I could manage this option so whenever I am running locally, it will automatically set it to True, but leave it as False by default?
DEBUG=False
For this purpose I use python-decouple package. To distinguish between production and development environments you can create one .env file with all production-related variables in it. In settings.py when retrieving the configuration parameters leave every default option with the one used in development. So when .env file is not present the default values are gonna be set.
from decouple import config
DEBUG = config('YOUR_ENV_VAR_DEBUG', default=True, cast=bool)
For more real-world use cases, please refer to the documentation.
I know this seems like a duplicate but this actually was intended to be a comment under an answer but I cannot comment with my current reputation score.
I'm new when it comes to Django and REST-APIs. I am developing an open API that is publicly accessible.
While researching about the CORS_ORIGIN_WHITELIST and ALLOWED_HOSTS setting in Django, I stumbled on this answer. The author suggests to set CORS_ORIGIN_ALLOW_ALL to True and says that if you do that, you also want to set a wildcard for the ALLOWED_HOSTS setting.
I understand that for an open API, I want to set CORS_ORIGIN_ALLOW_ALL to True but I don't understand why I would want to set a wildcard for ALLOWED_HOSTS. From my understanding, you want to set only the hostname of the server(s) the API is running on, correct?
I read the django documentation and some other sources but I feel like I don't understand this enough yet.
Could you elaborate #tim-mccurrach? I unfortunately cannot comment under your answer in the original question because I don't have the 50 point reputation score yet.
I followed a tutorial from a site and I deployed my django app on pythonanywhere.com.For this purpose I had to use git to upload codes.As a result my settings.py file was accessible by anybody.so any one could see my secret key on settings.py .It is not good right?
I also left DEBUG = True later I found it is not secure.Then I set DEBUG = False on my local machine and it showed it need allowed hosts.What are those things? what should I do? Where can I learn about these?
I'm working on a django project and since a few days django keeps logging me of after I change a source file.
The expire date in the cookies and in the database show that theres still 1 month left.
Even after making the change the session cookie is the same as in the database but I have to login again. and after logging in both sessionids (database and browser) change.
I'm using django 1.8.5
edit:
some session related settings:
SESSION_EXPIRE_AT_BROWSER_CLOSE False
SESSION_COOKIE_HTTPONLY True
SESSION_COOKIE_DOMAIN None
SESSION_SAVE_EVERY_REQUEST False
SESSION_COOKIE_SECURE False
edit2:
Just to be a bit more clear: After changing some source file (python files, templates work just fine) the server will reload (if I use --noreload, I have to do it manually to get the changes), after that everyone is logged out.
edit3:
CACHES {'default': {'BACKEND': 'django.core.cache.backends.locmem.LocMemCache'}}
SESSION_ENGINE 'django.contrib.sessions.backends.db'
Django has a SESSION_ENGINE setting that controls how the session information is stored on the server. One of the options is django.contrib.sessions.backends.cache, which stores session information only in cache memory.
Now, there's a certain cache backend - django.core.cache.backends.locmem.LocMemCache -, which stores information in the local python memory (for more info see CACHES). This cache backend is a typical choice for development, and of course resets each time the server is reloaded.
Using these two settings together would perfectly explain the situation you describe. Hope this helps!
I've been developing a couple of applications inside a Django CMS installation and have found it caches things well against my orders. This might not be such an issue in production but while I'm testing layouts, having to wait 10 minutes (or restart memcache) gets pretty boring.
Can I disable Django CMS's caching globally in my development settings?
Set the following settings locally:
CMS_PAGE_CACHE = False
CMS_PLACEHOLDER_CACHE = False
CMS_PLUGIN_CACHE = False
If it still caches after that, then it could be a bug..