Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Frog and Toad Learn about Django Security - NBT6
Search
Philip James
December 17, 2021
Technology
0
26
Frog and Toad Learn about Django Security - NBT6
Philip James
December 17, 2021
Tweet
Share
More Decks by Philip James
See All by Philip James
The Elephant and the Serpent (PyLatam 2019)
phildini
0
67
Account Security for the Fashionable App Developer
phildini
1
66
All in the Timing: Side-Channel Attacks
phildini
0
64
Giving Thanks
phildini
0
45
All in the Timing: Side-Channel Attacks in Python
phildini
0
420
API-Driven Django
phildini
1
400
Type uWSGI; Press Enter; What Happens?
phildini
0
97
Type uWSGI; Press Enter; What Happens?
phildini
1
79
Oops I Committed My Secret Key
phildini
0
420
Other Decks in Technology
See All in Technology
20250913_JAWS_sysad_kobe
takuyay0ne
2
250
複数サービスを支えるマルチテナント型Batch MLプラットフォーム
lycorptech_jp
PRO
1
980
スマートファクトリーの第一歩 〜AWSマネージドサービスで 実現する予知保全と生成AI活用まで
ganota
2
320
Firestore → Spanner 移行 を成功させた段階的移行プロセス
athug
1
500
AWSで始める実践Dagster入門
kitagawaz
1
750
「何となくテストする」を卒業するためにプロダクトが動く仕組みを理解しよう
kawabeaver
0
440
今日から始めるAWSセキュリティ対策 3ステップでわかる実践ガイド
yoshidatakeshi1994
0
120
プラットフォーム転換期におけるGitHub Copilot活用〜Coding agentがそれを加速するか〜 / Leveraging GitHub Copilot During Platform Transition Periods
aeonpeople
1
240
はじめてのOSS開発からみえたGo言語の強み
shibukazu
4
1k
Android Audio: Beyond Winning On It
atsushieno
0
3.4k
slog.Handlerのよくある実装ミス
sakiengineer
4
480
サラリーマンの小遣いで作るtoCサービス - Cloudflare Workersでスケールする開発戦略
shinaps
2
470
Featured
See All Featured
Done Done
chrislema
185
16k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
850
Site-Speed That Sticks
csswizardry
10
820
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
Build The Right Thing And Hit Your Dates
maggiecrowley
37
2.9k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
1.6k
Imperfection Machines: The Place of Print at Facebook
scottboms
268
13k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
[RailsConf 2023] Rails as a piece of cake
palkan
57
5.8k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.7k
KATA
mclloyd
32
14k
Being A Developer After 40
akosma
90
590k
Transcript
@phildini #nbt6 Frog and Toad Learn Django Security
@phildini #nbt6 I have this great idea for a startup!
@phildini #nbt6 Novels by Frog and Toad (NFTs) • A
site for selling books • Authors have a form where they can put in book information • That book information gets rendered to a book page • There is a form on the book page for buying the book
@phildini #nbt6 Django!
@phildini #nbt6 SECURITY?!?
@phildini #nbt6 XSS Cross-Site Scripting
@phildini #nbt6 <script>alert(‘hello’)</script> <script>alert('hello')</ script>
@phildini #nbt6 return mark_safe( force_text(text) .replace('&', '&') .replace('<', '<') .replace('>',
'>') .replace('"', '"') .replace("'", ''') )
@phildini #nbt6 django.utils.html https://github.com/django/django/blob/master/django/utils/html.py#L47
@phildini #nbt6 Context -> VariableNode -> conditional_escape -> escape https://github.com/django/django/blob/master/django/template/base.py
@phildini #nbt6 mark_safe(), | n, | safe
@phildini #nbt6 CSRF Cross-Site Request Forgery
@phildini #nbt6 CsrfViewMiddleware https://github.com/django/django/blob/master/django/middleware/csrf.py
@phildini #nbt6 if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #nbt6 def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)
@phildini #nbt6 django.views.decorators.csrf.csrf_exempt
@phildini #nbt6 @csrf_exempt def my_view(request): … @method_decorator(csrf_exempt, dispatch) class MyCBV(View):
….
@phildini #nbt6 if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #nbt6 Cookies
@phildini #nbt6 SQLi SQL Injection
@phildini #nbt6 [This Slide Intentionally Left Blank]
@phildini #nbt6 .extra(), RawSQL(), .raw()
@phildini #nbt6 Clickjacking
@phildini #nbt6 XFrameOptionsMiddleware https://github.com/django/django/blob/master/django/middleware/clickjacking.py
@phildini #nbt6 @xframe_options_exempt def my_view(request): … @method_decorator(xframe_options_exempt, dispatch) class MyCBV(View):
….
@phildini #nbt6 Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
@phildini #nbt6 Host Header Validation
@phildini #nbt6 get_host() https://github.com/django/django/blob/master/django/http/request.py#L95
@phildini #nbt6 if domain and in ALLOWED_HOSTS: proceed else: raise
error
@phildini #nbt6 Passwords
@phildini #nbt6 django.contrib.auth.hashers.check_password https://github.com/django/django/blob/master/django/contrib/auth/hashers.py
@phildini #nbt6 How do we make this better?
@phildini #nbt6 Constant Vigilance!
@phildini #nbt6 Package updates!
@phildini #nbt6 Package Updates https://pyup.io/safety/, GitHub dependabot
@phildini #nbt6 HTTPS https://letsencrypt.org/
@phildini #nbt6 HTTPS SECURE_SSL_REDIRECT SESSION_COOKIE_SECURE CSRF_COOKIE_SECURE SECURE_BROWSER_XSS_FILTER
@phildini #nbt6 HTTPS SECURE_HSTS_SECONDS SECURE_HSTS_PRELOAD SECURE_HSTS_INCLUDE_SUBDOMAINS
@phildini #nbt6 CSP Reporting Content Security Policy
@phildini #nbt6 django_encrypted_ fi elds https://github.com/defrex/django-encrypted- fi elds
@phildini #nbt6 Django Defender https://github.com/jazzband/django-defender
@phildini #nbt6 Token Vaulting https://www.verygoodsecurity.com/
@phildini #nbt6 Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/ Account Security Best
Practices https://pyvideo.org/pycon-us-2019/account-security-patterns-how-logged-in-are-you.html
@phildini #nbt6
@phildini #nbt6 The End. Philip James @phildini