Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Frog and Toad Learn about Django Security - NBT6
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Philip James
December 17, 2021
Technology
0
27
Frog and Toad Learn about Django Security - NBT6
Philip James
December 17, 2021
Tweet
Share
More Decks by Philip James
See All by Philip James
The Elephant and the Serpent (PyLatam 2019)
phildini
0
69
Account Security for the Fashionable App Developer
phildini
1
71
All in the Timing: Side-Channel Attacks
phildini
0
67
Giving Thanks
phildini
0
46
All in the Timing: Side-Channel Attacks in Python
phildini
0
420
API-Driven Django
phildini
1
420
Type uWSGI; Press Enter; What Happens?
phildini
0
110
Type uWSGI; Press Enter; What Happens?
phildini
1
83
Oops I Committed My Secret Key
phildini
0
430
Other Decks in Technology
See All in Technology
M&A 後の統合をどう進めるか ─ ナレッジワーク × Poetics が実践した組織とシステムの融合
kworkdev
PRO
1
470
Oracle Cloud Observability and Management Platform - OCI 運用監視サービス概要 -
oracle4engineer
PRO
2
14k
2026年、サーバーレスの現在地 -「制約と戦う技術」から「当たり前の実行基盤」へ- /serverless2026
slsops
2
250
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
kekke_n
1
450
Introduction to Bill One Development Engineer
sansan33
PRO
0
360
FinTech SREのAWSサービス活用/Leveraging AWS Services in FinTech SRE
maaaato
0
130
クレジットカード決済基盤を支えるSRE - 厳格な監査とSRE運用の両立 (SRE Kaigi 2026)
capytan
6
2.8k
Agent Skils
dip_tech
PRO
0
120
登壇駆動学習のすすめ — CfPのネタの見つけ方と書くときに意識していること
bicstone
3
120
[CV勉強会@関東 World Model 読み会] Orbis: Overcoming Challenges of Long-Horizon Prediction in Driving World Models (Mousakhan+, NeurIPS 2025)
abemii
0
140
20260204_Midosuji_Tech
takuyay0ne
1
160
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
15
93k
Featured
See All Featured
Agile Actions for Facilitating Distributed Teams - ADO2019
mkilby
0
120
The Limits of Empathy - UXLibs8
cassininazir
1
220
ラッコキーワード サービス紹介資料
rakko
1
2.3M
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
122
21k
The AI Search Optimization Roadmap by Aleyda Solis
aleyda
1
5.2k
Automating Front-end Workflow
addyosmani
1371
200k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
57
50k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
133
19k
Java REST API Framework Comparison - PWX 2021
mraible
34
9.1k
Designing for humans not robots
tammielis
254
26k
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
0
2.3k
Transcript
@phildini #nbt6 Frog and Toad Learn Django Security
@phildini #nbt6 I have this great idea for a startup!
@phildini #nbt6 Novels by Frog and Toad (NFTs) • A
site for selling books • Authors have a form where they can put in book information • That book information gets rendered to a book page • There is a form on the book page for buying the book
@phildini #nbt6 Django!
@phildini #nbt6 SECURITY?!?
@phildini #nbt6 XSS Cross-Site Scripting
@phildini #nbt6 <script>alert(‘hello’)</script> <script>alert('hello')</ script>
@phildini #nbt6 return mark_safe( force_text(text) .replace('&', '&') .replace('<', '<') .replace('>',
'>') .replace('"', '"') .replace("'", ''') )
@phildini #nbt6 django.utils.html https://github.com/django/django/blob/master/django/utils/html.py#L47
@phildini #nbt6 Context -> VariableNode -> conditional_escape -> escape https://github.com/django/django/blob/master/django/template/base.py
@phildini #nbt6 mark_safe(), | n, | safe
@phildini #nbt6 CSRF Cross-Site Request Forgery
@phildini #nbt6 CsrfViewMiddleware https://github.com/django/django/blob/master/django/middleware/csrf.py
@phildini #nbt6 if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #nbt6 def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)
@phildini #nbt6 django.views.decorators.csrf.csrf_exempt
@phildini #nbt6 @csrf_exempt def my_view(request): … @method_decorator(csrf_exempt, dispatch) class MyCBV(View):
….
@phildini #nbt6 if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #nbt6 Cookies
@phildini #nbt6 SQLi SQL Injection
@phildini #nbt6 [This Slide Intentionally Left Blank]
@phildini #nbt6 .extra(), RawSQL(), .raw()
@phildini #nbt6 Clickjacking
@phildini #nbt6 XFrameOptionsMiddleware https://github.com/django/django/blob/master/django/middleware/clickjacking.py
@phildini #nbt6 @xframe_options_exempt def my_view(request): … @method_decorator(xframe_options_exempt, dispatch) class MyCBV(View):
….
@phildini #nbt6 Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
@phildini #nbt6 Host Header Validation
@phildini #nbt6 get_host() https://github.com/django/django/blob/master/django/http/request.py#L95
@phildini #nbt6 if domain and in ALLOWED_HOSTS: proceed else: raise
error
@phildini #nbt6 Passwords
@phildini #nbt6 django.contrib.auth.hashers.check_password https://github.com/django/django/blob/master/django/contrib/auth/hashers.py
@phildini #nbt6 How do we make this better?
@phildini #nbt6 Constant Vigilance!
@phildini #nbt6 Package updates!
@phildini #nbt6 Package Updates https://pyup.io/safety/, GitHub dependabot
@phildini #nbt6 HTTPS https://letsencrypt.org/
@phildini #nbt6 HTTPS SECURE_SSL_REDIRECT SESSION_COOKIE_SECURE CSRF_COOKIE_SECURE SECURE_BROWSER_XSS_FILTER
@phildini #nbt6 HTTPS SECURE_HSTS_SECONDS SECURE_HSTS_PRELOAD SECURE_HSTS_INCLUDE_SUBDOMAINS
@phildini #nbt6 CSP Reporting Content Security Policy
@phildini #nbt6 django_encrypted_ fi elds https://github.com/defrex/django-encrypted- fi elds
@phildini #nbt6 Django Defender https://github.com/jazzband/django-defender
@phildini #nbt6 Token Vaulting https://www.verygoodsecurity.com/
@phildini #nbt6 Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/ Account Security Best
Practices https://pyvideo.org/pycon-us-2019/account-security-patterns-how-logged-in-are-you.html
@phildini #nbt6
@phildini #nbt6 The End. Philip James @phildini
SiteGround - Reliable hosting with speed, security, and support you can count on.
phildini
kworkdev
oracle4engineer
slsops
kekke_n
sansan33
maaaato
capytan
dip_tech
bicstone
abemii
takuyay0ne
mkilby
cassininazir
rakko
panda_program
aleyda
addyosmani
madoxten
caitiem20
morganepeng
mraible
tammielis
lindahogenes
![@phildini #nbt6 [This Slide Intentionally Left Blank]](https://files.speakerdeck.com/presentations/484880aedf1841a8aa395dec6c0901f2/slide_20.jpg){kind=link}
