Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Frog and Toad Learn about Django Security - NBT6
Search
Philip James
December 17, 2021
Technology
0
19
Frog and Toad Learn about Django Security - NBT6
Philip James
December 17, 2021
Tweet
Share
More Decks by Philip James
See All by Philip James
The Elephant and the Serpent (PyLatam 2019)
phildini
0
42
Account Security for the Fashionable App Developer
phildini
1
59
All in the Timing: Side-Channel Attacks
phildini
0
48
Giving Thanks
phildini
0
39
All in the Timing: Side-Channel Attacks in Python
phildini
0
370
API-Driven Django
phildini
1
320
Type uWSGI; Press Enter; What Happens?
phildini
0
93
Type uWSGI; Press Enter; What Happens?
phildini
1
73
Oops I Committed My Secret Key
phildini
0
370
Other Decks in Technology
See All in Technology
Hands-on / Kaname Frusawa / Cloud Compare Users Meetup 2024 at University of Tokyo on April 17
paraworld
2
470
カオナビの利用実績をアウトカムへつなげる旅 / example-of-data-management-startup-in-kaonavi
kaonavi
0
110
Apple Vision Pro trial session
akkeylab
0
120
A (short) History of AI
harishpillay
0
110
2024/4/26 コンピュータ歴史博物館解説告知
toshi_atsumi
0
190
Data and AI Governance: Existing Challenges and Emerging Trends
scotthsieh825
0
140
Oracle Exadata Database Service on Cloud@Customer (ExaDB-C@C) - UI スクリーン・キャプチャ集
oracle4engineer
PRO
1
1.1k
Terraformあれやこれ/terraform-this-and-that
emiki
2
100
**強い**エンジニアのなり方 - フィードバックサイクルを勝ち取る / grow one day each day
soudai
60
17k
Databricks における 『MLOps』
databricksjapan
2
130
スタートアップの技術顧問を3年間続けて発生した事と気付き
biwakonbu
0
150
少数チームで挑む: SwiftUI, TCA, KMPを用いた 新規動画配信アプリ 「ABEMA Live」の開発について
tomu28
0
520
Featured
See All Featured
How to name files
jennybc
64
92k
GitHub's CSS Performance
jonrohan
1023
450k
The Illustrated Children's Guide to Kubernetes
chrisshort
28
46k
Docker and Python
trallard
33
2.7k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
8
8.3k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
240
1.2M
Robots, Beer and Maslow
schacon
PRO
154
7.9k
Infographics Made Easy
chrislema
237
18k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Learning to Love Humans: Emotional Interface Design
aarron
266
39k
YesSQL, Process and Tooling at Scale
rocio
162
13k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
13
1.5k
Transcript
@phildini #nbt6 Frog and Toad Learn Django Security
@phildini #nbt6 I have this great idea for a startup!
@phildini #nbt6 Novels by Frog and Toad (NFTs) • A
site for selling books • Authors have a form where they can put in book information • That book information gets rendered to a book page • There is a form on the book page for buying the book
@phildini #nbt6 Django!
@phildini #nbt6 SECURITY?!?
@phildini #nbt6 XSS Cross-Site Scripting
@phildini #nbt6 <script>alert(‘hello’)</script> <script>alert('hello')</ script>
@phildini #nbt6 return mark_safe( force_text(text) .replace('&', '&') .replace('<', '<') .replace('>',
'>') .replace('"', '"') .replace("'", ''') )
@phildini #nbt6 django.utils.html https://github.com/django/django/blob/master/django/utils/html.py#L47
@phildini #nbt6 Context -> VariableNode -> conditional_escape -> escape https://github.com/django/django/blob/master/django/template/base.py
@phildini #nbt6 mark_safe(), | n, | safe
@phildini #nbt6 CSRF Cross-Site Request Forgery
@phildini #nbt6 CsrfViewMiddleware https://github.com/django/django/blob/master/django/middleware/csrf.py
@phildini #nbt6 if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #nbt6 def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)
@phildini #nbt6 django.views.decorators.csrf.csrf_exempt
@phildini #nbt6 @csrf_exempt def my_view(request): … @method_decorator(csrf_exempt, dispatch) class MyCBV(View):
….
@phildini #nbt6 if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #nbt6 Cookies
@phildini #nbt6 SQLi SQL Injection
@phildini #nbt6 [This Slide Intentionally Left Blank]
@phildini #nbt6 .extra(), RawSQL(), .raw()
@phildini #nbt6 Clickjacking
@phildini #nbt6 XFrameOptionsMiddleware https://github.com/django/django/blob/master/django/middleware/clickjacking.py
@phildini #nbt6 @xframe_options_exempt def my_view(request): … @method_decorator(xframe_options_exempt, dispatch) class MyCBV(View):
….
@phildini #nbt6 Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
@phildini #nbt6 Host Header Validation
@phildini #nbt6 get_host() https://github.com/django/django/blob/master/django/http/request.py#L95
@phildini #nbt6 if domain and in ALLOWED_HOSTS: proceed else: raise
error
@phildini #nbt6 Passwords
@phildini #nbt6 django.contrib.auth.hashers.check_password https://github.com/django/django/blob/master/django/contrib/auth/hashers.py
@phildini #nbt6 How do we make this better?
@phildini #nbt6 Constant Vigilance!
@phildini #nbt6 Package updates!
@phildini #nbt6 Package Updates https://pyup.io/safety/, GitHub dependabot
@phildini #nbt6 HTTPS https://letsencrypt.org/
@phildini #nbt6 HTTPS SECURE_SSL_REDIRECT SESSION_COOKIE_SECURE CSRF_COOKIE_SECURE SECURE_BROWSER_XSS_FILTER
@phildini #nbt6 HTTPS SECURE_HSTS_SECONDS SECURE_HSTS_PRELOAD SECURE_HSTS_INCLUDE_SUBDOMAINS
@phildini #nbt6 CSP Reporting Content Security Policy
@phildini #nbt6 django_encrypted_ fi elds https://github.com/defrex/django-encrypted- fi elds
@phildini #nbt6 Django Defender https://github.com/jazzband/django-defender
@phildini #nbt6 Token Vaulting https://www.verygoodsecurity.com/
@phildini #nbt6 Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/ Account Security Best
Practices https://pyvideo.org/pycon-us-2019/account-security-patterns-how-logged-in-are-you.html
@phildini #nbt6
@phildini #nbt6 The End. Philip James @phildini