Frog and Toad Learn about Django Security - NBT6

@phildini #nbt6 Frog and Toad Learn Django Security

@phildini #nbt6 I have this great idea for a startup!

@phildini #nbt6 Novels by Frog and Toad (NFTs) • A
site for selling books • Authors have a form where they can put in book information • That book information gets rendered to a book page • There is a form on the book page for buying the book

@phildini #nbt6 Django!

@phildini #nbt6 SECURITY?!?

@phildini #nbt6 XSS Cross-Site Scripting

@phildini #nbt6 <script>alert(‘hello’)</script> <script>alert('hello')</ script>

@phildini #nbt6 return mark_safe( force_text(text) .replace('&', '&') .replace('<', '<') .replace('>',
'>') .replace('"', '"') .replace("'", ''') )

@phildini #nbt6 django.utils.html https://github.com/django/django/blob/master/django/utils/html.py#L47

@phildini #nbt6 Context -> VariableNode -> conditional_escape -> escape https://github.com/django/django/blob/master/django/template/base.py

@phildini #nbt6 mark_safe(), | n, | safe

@phildini #nbt6 CSRF Cross-Site Request Forgery

@phildini #nbt6 CsrfViewMiddleware https://github.com/django/django/blob/master/django/middleware/csrf.py

@phildini #nbt6 if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

@phildini #nbt6 def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)

@phildini #nbt6 django.views.decorators.csrf.csrf_exempt

@phildini #nbt6 @csrf_exempt def my_view(request): … @method_decorator(csrf_exempt, dispatch) class MyCBV(View):
….

@phildini #nbt6 if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

@phildini #nbt6 Cookies

@phildini #nbt6 SQLi SQL Injection

@phildini #nbt6 [This Slide Intentionally Left Blank]

@phildini #nbt6 .extra(), RawSQL(), .raw()

@phildini #nbt6 Clickjacking

@phildini #nbt6 XFrameOptionsMiddleware https://github.com/django/django/blob/master/django/middleware/clickjacking.py

@phildini #nbt6 @xframe_options_exempt def my_view(request): … @method_decorator(xframe_options_exempt, dispatch) class MyCBV(View):
….

@phildini #nbt6 Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+

@phildini #nbt6 Host Header Validation

@phildini #nbt6 get_host() https://github.com/django/django/blob/master/django/http/request.py#L95

@phildini #nbt6 if domain and in ALLOWED_HOSTS: proceed else: raise
error

@phildini #nbt6 Passwords

@phildini #nbt6 django.contrib.auth.hashers.check_password https://github.com/django/django/blob/master/django/contrib/auth/hashers.py

@phildini #nbt6 How do we make this better?

@phildini #nbt6 Constant Vigilance!

@phildini #nbt6 Package updates!

@phildini #nbt6 Package Updates https://pyup.io/safety/, GitHub dependabot

@phildini #nbt6 HTTPS https://letsencrypt.org/

@phildini #nbt6 HTTPS SECURE_SSL_REDIRECT SESSION_COOKIE_SECURE CSRF_COOKIE_SECURE SECURE_BROWSER_XSS_FILTER

@phildini #nbt6 HTTPS SECURE_HSTS_SECONDS SECURE_HSTS_PRELOAD SECURE_HSTS_INCLUDE_SUBDOMAINS

@phildini #nbt6 CSP Reporting Content Security Policy

@phildini #nbt6 django_encrypted_ fi elds https://github.com/defrex/django-encrypted- fi elds

@phildini #nbt6 Django Defender https://github.com/jazzband/django-defender

@phildini #nbt6 Token Vaulting https://www.verygoodsecurity.com/

@phildini #nbt6 Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/ Account Security Best
Practices https://pyvideo.org/pycon-us-2019/account-security-patterns-how-logged-in-are-you.html

@phildini #nbt6

@phildini #nbt6 The End. Philip James @phildini

Frog and Toad Learn about Django Security - NBT6

Frog and Toad Learn about Django Security - NBT6

More Decks by Philip James

Other Decks in Technology

Featured

Transcript