I've been developing a couple of applications inside a Django CMS installation and have found it caches things well against my orders. This might not be such an issue in production but while I'm testing layouts, having to wait 10 minutes (or restart memcache) gets pretty boring.
Can I disable Django CMS's caching globally in my development settings?
Set the following settings locally:
CMS_PAGE_CACHE = False
CMS_PLACEHOLDER_CACHE = False
CMS_PLUGIN_CACHE = False
If it still caches after that, then it could be a bug..
Related
Before all I use Django 2.1 + Python 3.6
I have to admit that Django is a framework that makes the life of a developer a lot easier even if it is relative.
Now that we've written a Django project, done the tests, deployed its web app;
Questions:
What are the security points that are not particularly covered by
Django?
Can we have a vulnerabilities checklist related to sites written with
Django?
What are the important security tests for ensured the stability of an app written in Django?
Use Observatory by Mozilla site to scan the security status of your site. The site also includes third-party scanners which test other security aspects of your site.
Here's an example of the scan results of a given site:
The best grade to get is A+ (scores can even exceed 100%), but don't be surprised a site scores a straight F (fail), even though the site has passed the basic deployment checklist.
To improve your site security, ensure you have these settings in your settings.py:
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'Strict'
SESSION_COOKIE_SECURE = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_SSL_REDIRECT = True
X_FRAME_OPTIONS = 'DENY'
SECURE_HSTS_SECONDS = 300 # set low, but when site is ready for deployment, set to at least 15768000 (6 months)
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
Then use the SRI Hash Generator to ensure all your scripts are loaded securely from third-party sites.
Finally, the most challenging and time-consuming to implement is the Content Security Policy (CSP), particularly if the site is large, contains a lot of third-party code, and has a lot of inline scripts and styles scattered all over the project. To make the task easier, you can install Mozilla's django-csp and use your browser's console to track the security violations in your code. You will also need to fill in the following settings in your settings.py:
CSP_DEFAULT_SRC = ("'none'",)
CSP_STYLE_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'",)
CSP_FONT_SRC = ("'self'",)
CSP_IMG_SRC = ("'self'",)
This site helps to explain about CSP and what to do with inline scripts.
Optionally, you can install django-referrer-policy to set the Referrer-Policy header for added security (and higher grade!).
I am a beginner myself, and all the above are based on my research and what I did to improve my site security.
one of the security check you can perform is Deployment checklist
Run
manage.py check --deploy
other security check can be referred in official docs
In my mezzanine based django project I have Debug = False set within my settings.py file
However, when visiting a url that does not exist my project still throws this error:
You're seeing this error because you have DEBUG = True in your Django settings file. Change that to False, and Django will display a standard 404 page.
Is there a second location where Debug needs to be set?
My guess is you need to change it in local_settings.py, which overrides settings.py variables in a Mezzanine project by default.
While sometimes useful, running the development server with DEBUG = False is not a use case Mezzanine is designed to support out of the box and you may encounter buggy behavior. I recommend primarily using DEBUG = True with the development server and DEBUG = False with your production server.
I'm working on a django project and since a few days django keeps logging me of after I change a source file.
The expire date in the cookies and in the database show that theres still 1 month left.
Even after making the change the session cookie is the same as in the database but I have to login again. and after logging in both sessionids (database and browser) change.
I'm using django 1.8.5
edit:
some session related settings:
SESSION_EXPIRE_AT_BROWSER_CLOSE False
SESSION_COOKIE_HTTPONLY True
SESSION_COOKIE_DOMAIN None
SESSION_SAVE_EVERY_REQUEST False
SESSION_COOKIE_SECURE False
edit2:
Just to be a bit more clear: After changing some source file (python files, templates work just fine) the server will reload (if I use --noreload, I have to do it manually to get the changes), after that everyone is logged out.
edit3:
CACHES {'default': {'BACKEND': 'django.core.cache.backends.locmem.LocMemCache'}}
SESSION_ENGINE 'django.contrib.sessions.backends.db'
Django has a SESSION_ENGINE setting that controls how the session information is stored on the server. One of the options is django.contrib.sessions.backends.cache, which stores session information only in cache memory.
Now, there's a certain cache backend - django.core.cache.backends.locmem.LocMemCache -, which stores information in the local python memory (for more info see CACHES). This cache backend is a typical choice for development, and of course resets each time the server is reloaded.
Using these two settings together would perfectly explain the situation you describe. Hope this helps!
I understand that django cache issues have been discussed heavily all over the web (e.g., Temporarily Disabling Django Caching). But, this cache is driving me crazy.
I did disable the cache from the settings and used #never_cache for my views. I'm doing micro unit tests and I want to test every line of code. Unfortunately, django keeps on showing the old page for a few minutes before it refreshes it.
My setting: django on Apache's mod_wsgi
Even with a simple view with one line of text in it, this problem persists.
Question: Can django's cache be entirely disabled for good? I cannot do any debugging/testing while even minimum caching is there.
When I make or alter translations in Rosetta in Django backend, the po and mo files get updated. However, I don't see them directly show up in the frontend.
The doc of Rosetta says:
NEW: if your webserver supports it, you can force auto-reloading of
the translated catalog whenever a change was saved. See the note
regarding the ROSETTA_WSGI_AUTO_RELOAD variable
So which conditions should the webserver fulfill for this to work?
as far as i have understood you have to set up your server with wsgi (e.g. Apache mod_wsgi) to use this feature.
ROSETTA_WSGI_AUTO_RELOAD and ROSETTA_UWSGI_AUTO_RELOAD: When running WSGI daemon mode, using mod_wsgi 2.0c5 or later, this setting controls whether the contents of the gettext catalog files should be automatically reloaded by the WSGI processes each time they are modified. For performance reasons, this setting should be disabled in production environments. Default to False.
You just need to add ROSETTA_WSGI_AUTO_RELOAD = True and ROSETTA_UWSGI_AUTO_RELOAD = True in your settings.py file.
If you have multiple settings.py file then have add these lines for all your settings file.
Example:
ROSETTA_WSGI_AUTO_RELOAD = True
ROSETTA_UWSGI_AUTO_RELOAD = True