Menu
Before all I use Django 2.1 + Python 3.6
I have to admit that Django is a framework that makes the life of a developer a lot easier even if it is relative.
Now that we've written a Django project, done the tests, deployed its web app;
Questions:
What are the security points that are not particularly covered by Django?
Can we have a vulnerabilities checklist related to sites written with Django?
What are the important security tests for ensured the stability of an app written in Django?
307
You can see some descriptions which provide information about your Django web application vulnerabilities. Try to google these security issues and fix them before production. If you already deployed you application then use Observatory by Mozilla site to scan the security status of your site.
While Django's templating system will catch the vast majority of XSS attempts, we need to be certain to escape any data inserted into CSS or Javascript, validate URL attributes, and avoid using django.utils.safestring's mark_safe haphazardly. Another common web security vulnerability is Cross Site Request Forgeries (CSRF).
What are the important security tests for ensured the stability of an app written in Django? Use Observatory by Mozilla site to scan the security status of your site. The site also includes third-party scanners which test other security aspects of your site.
In fact, BitBucket , dpaste, and Mozilla Support are all employing Python/Django for their mission-critical web offerings, so have no fear—effective vulnerability management and visibility into existing Django security gaps can go a long way towards hardening your Django-based web app against attacks.
Use Observatory by Mozilla site to scan the security status of your site. The site also includes third-party scanners which test other security aspects of your site.
Here's an example of the scan results of a given site:
The best grade to get is A+ (scores can even exceed 100%), but don't be surprised a site scores a straight F (fail), even though the site has passed the basic deployment checklist.
To improve your site security, ensure you have these settings in your settings.py:
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = 'Strict'
SESSION_COOKIE_SECURE = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_SSL_REDIRECT = True
X_FRAME_OPTIONS = 'DENY'
SECURE_HSTS_SECONDS = 300 # set low, but when site is ready for deployment, set to at least 15768000 (6 months)
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
Then use the SRI Hash Generator to ensure all your scripts are loaded securely from third-party sites.
Finally, the most challenging and time-consuming to implement is the Content Security Policy (CSP), particularly if the site is large, contains a lot of third-party code, and has a lot of inline scripts and styles scattered all over the project. To make the task easier, you can install Mozilla's django-csp and use your browser's console to track the security violations in your code. You will also need to fill in the following settings in your settings.py:
CSP_DEFAULT_SRC = ("'none'",)
CSP_STYLE_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'",)
CSP_FONT_SRC = ("'self'",)
CSP_IMG_SRC = ("'self'",)
This site helps to explain about CSP and what to do with inline scripts.
Optionally, you can install django-referrer-policy to set the Referrer-Policy header for added security (and higher grade!).
I am a beginner myself, and all the above are based on my research and what I did to improve my site security.
131
one of the security check you can perform is Deployment checklist
Run
manage.py check --deploy
other security check can be referred in official docs
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
