Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Frog and Toad Learn about Django Security - NBT6
Search
Philip James
December 17, 2021
Technology
0
26
Frog and Toad Learn about Django Security - NBT6
Philip James
December 17, 2021
Tweet
Share
More Decks by Philip James
See All by Philip James
The Elephant and the Serpent (PyLatam 2019)
phildini
0
67
Account Security for the Fashionable App Developer
phildini
1
66
All in the Timing: Side-Channel Attacks
phildini
0
60
Giving Thanks
phildini
0
45
All in the Timing: Side-Channel Attacks in Python
phildini
0
410
API-Driven Django
phildini
1
390
Type uWSGI; Press Enter; What Happens?
phildini
0
95
Type uWSGI; Press Enter; What Happens?
phildini
1
75
Oops I Committed My Secret Key
phildini
0
410
Other Decks in Technology
See All in Technology
API の仕様から紐解く「MCP 入門」 ~MCP の「コンテキスト」って何だ?~
cdataj
0
170
新規プロダクト開発、AIでどう変わった? #デザインエンジニアMeetup
bengo4com
0
490
今からでも間に合う! 生成AI「RAG」再入門 / Re-introduction to RAG in Generative AI
hideakiaoyagi
1
190
AWS と定理証明 〜ポリシー言語 Cedar 開発の舞台裏〜 #fp_matsuri / FP Matsuri 2025
ytaka23
9
2.5k
Clineを含めたAIエージェントを 大規模組織に導入し、投資対効果を考える / Introducing AI agents into your organization
i35_267
4
740
自分を理解するAI時代の準備 〜マイプロフィールMCPの実装〜
edo_m18
0
110
堅牢な認証基盤の実現 TypeScriptで代数的データ型を活用する
kakehashi
PRO
2
240
Model Mondays S2E01: Advanced Reasoning
nitya
0
420
RubyOnRailsOnDevin+α / DevinMeetupJapan#2
ginkouno
0
770
Securing your Lambda 101
chillzprezi
0
300
What's new in OpenShift 4.19
redhatlivestreaming
1
320
Nonaka Sensei
kawaguti
PRO
4
760
Featured
See All Featured
Producing Creativity
orderedlist
PRO
346
40k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
32
5.9k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Build The Right Thing And Hit Your Dates
maggiecrowley
36
2.7k
Thoughts on Productivity
jonyablonski
69
4.7k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
107
19k
Agile that works and the tools we love
rasmusluckow
329
21k
[RailsConf 2023] Rails as a piece of cake
palkan
55
5.6k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
20
1.3k
Adopting Sorbet at Scale
ufuk
77
9.4k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Transcript
@phildini #nbt6 Frog and Toad Learn Django Security
@phildini #nbt6 I have this great idea for a startup!
@phildini #nbt6 Novels by Frog and Toad (NFTs) • A
site for selling books • Authors have a form where they can put in book information • That book information gets rendered to a book page • There is a form on the book page for buying the book
@phildini #nbt6 Django!
@phildini #nbt6 SECURITY?!?
@phildini #nbt6 XSS Cross-Site Scripting
@phildini #nbt6 <script>alert(‘hello’)</script> <script>alert('hello')</ script>
@phildini #nbt6 return mark_safe( force_text(text) .replace('&', '&') .replace('<', '<') .replace('>',
'>') .replace('"', '"') .replace("'", ''') )
@phildini #nbt6 django.utils.html https://github.com/django/django/blob/master/django/utils/html.py#L47
@phildini #nbt6 Context -> VariableNode -> conditional_escape -> escape https://github.com/django/django/blob/master/django/template/base.py
@phildini #nbt6 mark_safe(), | n, | safe
@phildini #nbt6 CSRF Cross-Site Request Forgery
@phildini #nbt6 CsrfViewMiddleware https://github.com/django/django/blob/master/django/middleware/csrf.py
@phildini #nbt6 if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #nbt6 def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)
@phildini #nbt6 django.views.decorators.csrf.csrf_exempt
@phildini #nbt6 @csrf_exempt def my_view(request): … @method_decorator(csrf_exempt, dispatch) class MyCBV(View):
….
@phildini #nbt6 if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #nbt6 Cookies
@phildini #nbt6 SQLi SQL Injection
@phildini #nbt6 [This Slide Intentionally Left Blank]
@phildini #nbt6 .extra(), RawSQL(), .raw()
@phildini #nbt6 Clickjacking
@phildini #nbt6 XFrameOptionsMiddleware https://github.com/django/django/blob/master/django/middleware/clickjacking.py
@phildini #nbt6 @xframe_options_exempt def my_view(request): … @method_decorator(xframe_options_exempt, dispatch) class MyCBV(View):
….
@phildini #nbt6 Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
@phildini #nbt6 Host Header Validation
@phildini #nbt6 get_host() https://github.com/django/django/blob/master/django/http/request.py#L95
@phildini #nbt6 if domain and in ALLOWED_HOSTS: proceed else: raise
error
@phildini #nbt6 Passwords
@phildini #nbt6 django.contrib.auth.hashers.check_password https://github.com/django/django/blob/master/django/contrib/auth/hashers.py
@phildini #nbt6 How do we make this better?
@phildini #nbt6 Constant Vigilance!
@phildini #nbt6 Package updates!
@phildini #nbt6 Package Updates https://pyup.io/safety/, GitHub dependabot
@phildini #nbt6 HTTPS https://letsencrypt.org/
@phildini #nbt6 HTTPS SECURE_SSL_REDIRECT SESSION_COOKIE_SECURE CSRF_COOKIE_SECURE SECURE_BROWSER_XSS_FILTER
@phildini #nbt6 HTTPS SECURE_HSTS_SECONDS SECURE_HSTS_PRELOAD SECURE_HSTS_INCLUDE_SUBDOMAINS
@phildini #nbt6 CSP Reporting Content Security Policy
@phildini #nbt6 django_encrypted_ fi elds https://github.com/defrex/django-encrypted- fi elds
@phildini #nbt6 Django Defender https://github.com/jazzband/django-defender
@phildini #nbt6 Token Vaulting https://www.verygoodsecurity.com/
@phildini #nbt6 Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/ Account Security Best
Practices https://pyvideo.org/pycon-us-2019/account-security-patterns-how-logged-in-are-you.html
@phildini #nbt6
@phildini #nbt6 The End. Philip James @phildini