Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Frog and Toad Learn Django Security
Search
Philip James
July 20, 2016
Technology
170
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Frog and Toad Learn Django Security
Talk given at DjangoCon US 2016
Philip James
July 20, 2016
More Decks by Philip James
See All by Philip James
Frog and Toad Learn about Django Security - NBT6
phildini
0
35
The Elephant and the Serpent (PyLatam 2019)
phildini
0
75
Account Security for the Fashionable App Developer
phildini
1
75
All in the Timing: Side-Channel Attacks
phildini
0
79
Giving Thanks
phildini
0
50
All in the Timing: Side-Channel Attacks in Python
phildini
0
430
API-Driven Django
phildini
1
440
Type uWSGI; Press Enter; What Happens?
phildini
0
120
Type uWSGI; Press Enter; What Happens?
phildini
1
97
Other Decks in Technology
See All in Technology
背中から、背中へ /paying forward to community
naitosatoshi
0
230
ZOZOTOWNの進化と信頼性を両立する負荷試験
zozotech
PRO
0
130
型は壁、Rustでもバグを直すな、表現できなくせよ
nwiizo
12
1.6k
記録をかんたんに、提案をパーソナルに ── AIであすけんが目指すもの
oprstchn
0
160
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
11k
そのタスクオンスケですか?
poropinai1966
0
140
小さいから、全部わかる。— 常駐AI "xangi" のすすめ
sugupoko
0
270
NDIAS CTF 2026 問題解説会資料
bata_24
0
180
事業価値を⽣み出すSREへ SREが担うべき意思決定の5層
kenta_hi
1
730
組織における AI-DLC 実践
askul
0
320
はじめてのWDM
miyukichi_ospf
1
120
從觀望到全公司落地:AI Agentic Coding 導入實戰 — 流程整合與安全治理
appleboy
1
1k
Featured
See All Featured
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
123
22k
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
2
1.6k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
460
How to Talk to Developers About Accessibility
jct
2
280
Embracing the Ebb and Flow
colly
88
5.1k
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
330
The Illustrated Guide to Node.js - THAT Conference 2024
reverentgeek
1
410
Docker and Python
trallard
47
3.9k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
Building the Perfect Custom Keyboard
takai
2
810
Marketing to machines
jonoalderson
1
5.6k
Ruling the World: When Life Gets Gamed
codingconduct
0
270
Transcript
@phildini #djangotoad Frog and Toad Learn Django Security
@phildini #djangotoad I have this great idea for a startup!
@phildini #djangotoad Bezos Books • A site for selling books
• Authors have a form where they can put in book informaDon • That book informaDon gets rendered to a book page • There is a form on the book page for buying the book
@phildini #djangotoad Django!
@phildini #djangotoad SECURITY?!?
@phildini #djangotoad XSS Cross-Site ScripDng
@phildini #djangotoad <script>alert(‘hello’)</script> <script>alert('hello')</script>
@phildini #djangotoad return mark_safe( force_text(text) .replace('&', '&') .replace('<', '<') .replace('>',
'>') .replace('"', '"') .replace("'", ''') )
@phildini #djangotoad django.uDls.html https://github.com/django/django/blob/master/django/utils/html.py#L47
@phildini #djangotoad Context -> VariableNode -> condiDonal_escape -> escape https://github.com/django/django/blob/master/django/template/base.py
@phildini #djangotoad mark_safe(), | n, | safe
@phildini #djangotoad CSRF Cross-Site Request Forgery
@phildini #djangotoad CsrfViewMiddleware https://github.com/django/django/blob/master/django/middleware/csrf.py
@phildini #djangotoad if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #djangotoad def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_airs(view_func) )(wrapped_view)
@phildini #djangotoad django.views.decorators.csrf.csrf_exempt
@phildini #djangotoad @csrf_exempt def my_view(request): … @method_decorator(csrf_exempt, dispatch) class MyCBV(View):
….
@phildini #djangotoad if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #djangotoad Cookies
@phildini #djangotoad SQLi SQL InjecDon
@phildini #djangotoad [This Slide IntenDonally Len Blank]
@phildini #djangotoad .extra(), RawSQL(), .raw()
@phildini #djangotoad Clickjacking
@phildini #djangotoad XFrameOpDonsMiddleware https://github.com/django/django/blob/master/django/middleware/clickjacking.py
@phildini #djangotoad @xframe_op1ons_exempt def my_view(request): … @method_decorator(xframe_op1ons_exempt, dispatch) class MyCBV(View):
….
@phildini #djangotoad Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
@phildini #djangotoad Host Header ValidaDon
@phildini #djangotoad get_host() https://github.com/django/django/blob/master/django/http/request.py#L95
@phildini #djangotoad if domain and in ALLOWED_HOSTS: proceed else: raise
error
@phildini #djangotoad Passwords
@phildini #djangotoad django.contrib.auth.hashers.check_password https://github.com/django/django/blob/master/django/contrib/auth/hashers.py
@phildini #djangotoad How do we make this beier?
@phildini #djangotoad Constant Vigilance!
@phildini #djangotoad HTTPS
@phildini #djangotoad CSP ReporDng Content Security Policy
@phildini #djangotoad django_encrypted_fields hips:/ /github.com/defrex/django-encrypted-fields
@phildini #djangotoad django-secure hip:/ /django-secure.readthedocs.org/en/v0.1.2/
@phildini #djangotoad Pony Checkup hips:/ /www.ponycheckup.com/
@phildini #djangotoad Making Django Ridiculously Secure hip:/ /nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/
@phildini #djangotoad
@phildini #djangotoad The End. Philip James @phildini hip:/ /bit.ly/djangotoad