Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Safe-ish By Default
Search
Philip James
December 10, 2015
Technology
0
81
Safe-ish By Default
The Django Security Model and How to Make it Better
Philip James
December 10, 2015
Tweet
Share
More Decks by Philip James
See All by Philip James
Frog and Toad Learn about Django Security - NBT6
phildini
0
24
The Elephant and the Serpent (PyLatam 2019)
phildini
0
44
Account Security for the Fashionable App Developer
phildini
1
64
All in the Timing: Side-Channel Attacks
phildini
0
54
Giving Thanks
phildini
0
42
All in the Timing: Side-Channel Attacks in Python
phildini
0
400
API-Driven Django
phildini
1
350
Type uWSGI; Press Enter; What Happens?
phildini
0
93
Type uWSGI; Press Enter; What Happens?
phildini
1
73
Other Decks in Technology
See All in Technology
MobileActOsaka_241018.pdf
akaitadaaki
0
110
KubeVirt Networking ONIC 2024
orimanabu
4
730
寒冷地稲作の歴史にみるコミュニティ
miu_crescent
2
140
ReSTIRの数理と実装 (rtcamp10)
yumcyawiz
1
470
XSS攻撃から考察するAWS設定不備の恐怖/20241012 Hironobu Otaki
shift_evolve
0
130
RAG: from dumb implementation to serious results
glaforge
0
640
20241015 Toranomon Tech Hub#1 Service Catalog使ってみた
hiashisan
0
220
SageMaker学習のツボ / The Key Points of Learning SageMaker
cmhiranofumio
0
280
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
48k
入社半年(合計1年)でGoogle Cloud 認定を全冠した秘訣🤫
risatube
1
270
Microsoft 365 でデータセキュリティを強化しよう
sophiakunii
2
470
複数の外部サービスデータの統合と変換を実現する Railsのインポートアーキテクチャ / Rails import architecture for integration and transformation of multiple external service data
aiandrox
0
290
Featured
See All Featured
Into the Great Unknown - MozCon
thekraken
31
1.4k
The Pragmatic Product Professional
lauravandoore
31
6.2k
Ruby is Unlike a Banana
tanoku
96
11k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
40
2.1k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
37
1.7k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Typedesign – Prime Four
hannesfritz
39
2.4k
Become a Pro
speakerdeck
PRO
24
4.9k
Visualization
eitanlees
143
15k
Practical Orchestrator
shlominoach
186
10k
Adopting Sorbet at Scale
ufuk
73
9k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Transcript
#safedjango @phildini Safe-ish by Default The Django Security Model and
How to Make it Better Philip James
#safedjango @phildini Who’s this guy?
#safedjango @phildini How We Use Django at Eventbrite
#safedjango @phildini Safe-ish? #safedjango @phildini
#safedjango @phildini XSS
#safedjango @phildini <script>alert(‘hello’)</script> <script>alert('hello')</script>
#safedjango @phildini return mark_safe( force_text(text).replace('&', '&').replace('<', ‘<').replace( '>', '>').replace('"', '"').replace("'",
‘'') )
#safedjango @phildini mark_safe(), | n, | safe
#safedjango @phildini CSRF
#safedjango @phildini CsrfViewMiddleware
#safedjango @phildini if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
#safedjango @phildini def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)
#safedjango @phildini if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
#safedjango @phildini Sidenote: Cookies
#safedjango @phildini SQLi
#safedjango @phildini Don't ever confuse code and data, it's the
key to happiness - Alex Gaynor
#safedjango @phildini .extra(), RawSQL()
#safedjango @phildini Clickjacking
#safedjango @phildini XFrameOptionsMiddleware
#safedjango @phildini Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
#safedjango @phildini Host Header Validation
#safedjango @phildini get_host()
#safedjango @phildini if domain and in ALLOWED_HOSTS: proceed else: raise
error
#safedjango @phildini Sessions
#safedjango @phildini Passwords
#safedjango @phildini How Can We Make This Safer?
#safedjango @phildini Constant Vigilance!
#safedjango @phildini HTTPS
#safedjango @phildini What Does EB Do?
#safedjango @phildini CSP Reporting
#safedjango @phildini EBSecure
#safedjango @phildini crypter = Crypter.Read("/path/to/your/keys") ciphertext = crypter.Encrypt("Secret message")
#safedjango @phildini crypter = EBSecure(keyname) secret = crypter.encrypt(value.encode('utf8')
#safedjango @phildini django_encrypted_fields https://github.com/defrex/django-encrypted-fields
#safedjango @phildini Other Resources
#safedjango @phildini django-secure http://django-secure.readthedocs.org/en/v0.1.2/
#safedjango @phildini Pony Checkup https://www.ponycheckup.com/
#safedjango @phildini Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/
#safedjango @phildini Thanks! Questions?