Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Security issues with serving static files through Django?

Tags:

security

webserver

django

The official docs say, of the staticfiles serve view:

... this view is grossly inefficient and probably insecure

Does this warning apply only to this particular view, or are there security issues inherent in the concept of serving static files through Django? What are they? Assuming I've benchmarked my application and performance is acceptable, are there any other issues I should be aware of?

like image 883
jl6 Avatar asked Mar 21 '13 15:03

jl6

People also ask

Can Django serve static files in production?

Django provides django. contrib. staticfiles to help you collect static files from each of your applications (and any other places you specify) into a single location that can easily be served in production. STATIC_ROOT is the path that defines where your static files will be collected.

Where are Django static files stored?

Using the collectstatic command, Django looks for all static files in your apps and collects them wherever you told it to, i.e. the STATIC_ROOT . In our case, we are telling Django that when we run python manage.py collectstatic , gather all static files into a folder called staticfiles in our project root directory.

How secure is Django?

Django contains clickjacking protection in the form of the X-Frame-Options middleware which in a supporting browser can prevent a site from being rendered inside a frame. It is possible to disable the protection on a per view basis or to configure the exact header value sent.

What is the difference between media and static files in Django?

Static files are meant for javascript/images etc, but media files are for user-uploaded content.

1 Answers

It's insecure because it doesn't have to be secure

Serving static files through django means you go through the Python code to do something your webserver would do significantly more efficiently.

Given that serving static files is disastrous performance-wise, no-one would use this in production.
Therefore, no-one cares about the security of serving static files in Django.
As a consequence, this view is probably insecure.

Ultimately, it's the same rationale as the development server. You're not supposed to be using it in production and not one is dedicating effort to making it secure. It's just practical for development.

Also, something inefficient is something that exposes you to DoS attacks. So yes, it's insecure.

But you shouldn't be using it.

Why are you serving static files through Django? Is it to control access to those files?

If yes, you should use the X-Accel-Redirect(Nginx) or X-Sendfile (Apache) headers.

But don't do it yourself, use: https://github.com/johnsensible/django-sendfile

like image 86
Thomas Orozco Avatar answered Sep 22 '22 12:09

Thomas Orozco
Sign in to Comment

Related questions

Equivalent of models.Manager for SqlAlchemy
In a Django form, how do I render a radio button so that the choices are separated on the page?
Django static structure
Looping over a list of objects within a Django template
Django: required together?
Django How to prevent multiple users login using the same credentials
Reverse Inlines in Django Admin with more than one model
Tastypie-django custom error handling
Django Admin - Giving staff members access to certain areas by default
Getting the first item item in a many-to-many relation in Django
is it possible to share session data from a asp.net mvc application and a python application?
django many-to-many field: prefetch primary keys only
How to run arbitrary code when django shell starts?
Django form: ask for confirmation before committing to db
How to format DateTimeField in Django Admin to localtime?
Django Ajax login form
NoReverseMatch Django URL
Do Django ORM database queries block the server, or are they asynchronous?
django-shop vs Satchless?
Site matching query does not exist. Lookup parameters were {'pk': 3}

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!