Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How secure is Django

Tags:

A client of mine asked me this question. I am not even sure what to reply ? I am no security expert, just a web dev. What can must I say ?

like image 591
Harry Avatar asked Jul 27 '11 10:07

Harry

People also ask

Is Django more secure than PHP?

Django Is More SecureDjango is way more secure than PHP. It has built-in support for different web vulnerabilities like CSRF, SQL injection, etc. While PHP has no built-in security system. Simple PHP is most vulnerable to fatal vulnerabilities like SQL injection, CSRF, RCE, etc.

Is Django more secure than flask?

When compared to Flask, Django embraces stability as well as a "batteries included" approach where a number of batteries (i.e., tools, patterns, features, and functionality) are provided out-of-the-box. In terms of stability, Django generally has longer, more rigid release cycles.

Is Django password secure?

By default, Django uses the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. This should be sufficient for most users: it's quite secure, requiring massive amounts of computing time to break.

2 Answers

By default, Django prevents most common security mistakes:

  • XSS (cross-site scripting) protection — Django template system by default escapes variables, unless they are explicitly marked as safe.
  • CSRF (cross site request forgery) protection — easy to turn on globally, guarantees that forms (POST requests) are sent from your own site.
  • SQL injection protection — Django uses built-in ORM, thus there is no risk of SQL injection (raw queries are possible, but by no means something that a beginner would need to use).

Additional security features:

  • Clickjacking protection — Django can detect when the content is requested from unauthorized iframe
  • Safe password hash — Django by default uses PBKDF2, another option is bcrypt. Both are resilient to usage of rainbow tables (thanks to salt), both have significant compute time to prevent easy bruteforce.

It's also important to note, that Django is implemented in Python, which has excellent security track record. Thus the underlying language is not a security risk.

More on Django security: https://docs.djangoproject.com/en/stable/topics/security/

like image 148
vartec Avatar answered Oct 21 '22 23:10

vartec

Django is as secure as any web framework can be. It provides tools and doc to prevent common mistakes causing security problems (csrf, xss, etc.)

However, a tool in itself cannot be "secure". The whole platform security depends on the proper use of the tools you choose, and thus is more a matter of developer skills.

like image 22
Thibault J Avatar answered Oct 21 '22 21:10

Thibault J
Sign in to Comment

Related questions

What is the most efficient way to generate 8 character random alphanumeric string in TSQL?
WebP for Android [closed]
Restrict an SQL Server connection to a specific IP address
Perforce - How to get the list of files that have been modified locally?
User Agent Switcher for Chrome
How to pass object to function in c++?
javascript convert string to safe class name for css
Can I declare variables of different types in the initialization of a for loop? [duplicate]
What is stored on heap and what is stored on stack? [closed]
Is there a loop "start-over"?
PathVariable in Spring Controller
Adjust position and font size of legend title in ggplot2

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!