Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Frog and Toad Learn Django Security
Search
Philip James
July 20, 2016
Technology
0
160
Frog and Toad Learn Django Security
Talk given at DjangoCon US 2016
Philip James
July 20, 2016
Tweet
Share
More Decks by Philip James
See All by Philip James
Frog and Toad Learn about Django Security - NBT6
phildini
0
26
The Elephant and the Serpent (PyLatam 2019)
phildini
0
67
Account Security for the Fashionable App Developer
phildini
1
66
All in the Timing: Side-Channel Attacks
phildini
0
66
Giving Thanks
phildini
0
45
All in the Timing: Side-Channel Attacks in Python
phildini
0
420
API-Driven Django
phildini
1
400
Type uWSGI; Press Enter; What Happens?
phildini
0
97
Type uWSGI; Press Enter; What Happens?
phildini
1
79
Other Decks in Technology
See All in Technology
OCI Network Firewall 概要
oracle4engineer
PRO
1
7.8k
AI時代だからこそ考える、僕らが本当につくりたいスクラムチーム / A Scrum Team we really want to create in this AI era
takaking22
7
3.7k
[2025-09-30] Databricks Genie を利用した分析基盤とデータモデリングの IVRy の現在地
wxyzzz
0
500
Modern_Data_Stack最新動向クイズ_買収_AI_激動の2025年_.pdf
sagara
0
220
後進育成のしくじり〜任せるスキルとリーダーシップの両立〜
matsu0228
7
2.8k
Goに育てられ開発者向けセキュリティ事業を立ち上げた僕が今向き合う、AI × セキュリティの最前線 / Go Conference 2025
flatt_security
0
350
Access-what? why and how, A11Y for All - Nordic.js 2025
gdomiciano
1
120
スタートアップにおけるこれからの「データ整備」
shomaekawa
1
240
JAZUG 15周年記念 × JAT「AI Agent開発者必見:"今"のOracle技術で拡張するAzure × OCIの共存アーキテクチャ」
shisyu_gaku
0
130
定期的な価値提供だけじゃない、スクラムが導くチームの共創化 / 20251004 Naoki Takahashi
shift_evolve
PRO
3
330
職種別ミートアップで社内から盛り上げる アウトプット文化の醸成と関係強化/ #DevRelKaigi
nishiuma
2
140
空間を設計する力を考える / 20251004 Naoki Takahashi
shift_evolve
PRO
3
410
Featured
See All Featured
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.7k
Optimizing for Happiness
mojombo
379
70k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Being A Developer After 40
akosma
91
590k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
890
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
127
53k
Visualization
eitanlees
148
16k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
132
19k
Site-Speed That Sticks
csswizardry
11
880
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Music & Morning Musume
bryan
46
6.8k
Context Engineering - Making Every Token Count
addyosmani
5
200
Transcript
@phildini #djangotoad Frog and Toad Learn Django Security
@phildini #djangotoad I have this great idea for a startup!
@phildini #djangotoad Bezos Books • A site for selling books
• Authors have a form where they can put in book informaDon • That book informaDon gets rendered to a book page • There is a form on the book page for buying the book
@phildini #djangotoad Django!
@phildini #djangotoad SECURITY?!?
@phildini #djangotoad XSS Cross-Site ScripDng
@phildini #djangotoad <script>alert(‘hello’)</script> <script>alert('hello')</script>
@phildini #djangotoad return mark_safe( force_text(text) .replace('&', '&') .replace('<', '<') .replace('>',
'>') .replace('"', '"') .replace("'", ''') )
@phildini #djangotoad django.uDls.html https://github.com/django/django/blob/master/django/utils/html.py#L47
@phildini #djangotoad Context -> VariableNode -> condiDonal_escape -> escape https://github.com/django/django/blob/master/django/template/base.py
@phildini #djangotoad mark_safe(), | n, | safe
@phildini #djangotoad CSRF Cross-Site Request Forgery
@phildini #djangotoad CsrfViewMiddleware https://github.com/django/django/blob/master/django/middleware/csrf.py
@phildini #djangotoad if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #djangotoad def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_airs(view_func) )(wrapped_view)
@phildini #djangotoad django.views.decorators.csrf.csrf_exempt
@phildini #djangotoad @csrf_exempt def my_view(request): … @method_decorator(csrf_exempt, dispatch) class MyCBV(View):
….
@phildini #djangotoad if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #djangotoad Cookies
@phildini #djangotoad SQLi SQL InjecDon
@phildini #djangotoad [This Slide IntenDonally Len Blank]
@phildini #djangotoad .extra(), RawSQL(), .raw()
@phildini #djangotoad Clickjacking
@phildini #djangotoad XFrameOpDonsMiddleware https://github.com/django/django/blob/master/django/middleware/clickjacking.py
@phildini #djangotoad @xframe_op1ons_exempt def my_view(request): … @method_decorator(xframe_op1ons_exempt, dispatch) class MyCBV(View):
….
@phildini #djangotoad Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
@phildini #djangotoad Host Header ValidaDon
@phildini #djangotoad get_host() https://github.com/django/django/blob/master/django/http/request.py#L95
@phildini #djangotoad if domain and in ALLOWED_HOSTS: proceed else: raise
error
@phildini #djangotoad Passwords
@phildini #djangotoad django.contrib.auth.hashers.check_password https://github.com/django/django/blob/master/django/contrib/auth/hashers.py
@phildini #djangotoad How do we make this beier?
@phildini #djangotoad Constant Vigilance!
@phildini #djangotoad HTTPS
@phildini #djangotoad CSP ReporDng Content Security Policy
@phildini #djangotoad django_encrypted_fields hips:/ /github.com/defrex/django-encrypted-fields
@phildini #djangotoad django-secure hip:/ /django-secure.readthedocs.org/en/v0.1.2/
@phildini #djangotoad Pony Checkup hips:/ /www.ponycheckup.com/
@phildini #djangotoad Making Django Ridiculously Secure hip:/ /nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/
@phildini #djangotoad
@phildini #djangotoad The End. Philip James @phildini hip:/ /bit.ly/djangotoad