Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

Safe-ish By Default

Avatar for Philip James Philip James
December 10, 2015
Technology
0
85

Safe-ish By Default

The Django Security Model and How to Make it Better

Avatar for Philip James

Philip James

December 10, 2015
Tweet

More Decks by Philip James

See All by Philip James
Frog and Toad Learn about Django Security - NBT6
Avatar for Philip James phildini
0
27
The Elephant and the Serpent (PyLatam 2019)
Avatar for Philip James phildini
0
68
Account Security for the Fashionable App Developer
Avatar for Philip James phildini
1
70
All in the Timing: Side-Channel Attacks
Avatar for Philip James phildini
0
67
Giving Thanks
Avatar for Philip James phildini
0
46
All in the Timing: Side-Channel Attacks in Python
Avatar for Philip James phildini
0
420
API-Driven Django
Avatar for Philip James phildini
1
410
Type uWSGI; Press Enter; What Happens?
Avatar for Philip James phildini
0
100
Type uWSGI; Press Enter; What Happens?
Avatar for Philip James phildini
1
81

Other Decks in Technology

See All in Technology
Kiro を用いたペアプロのススメ
Avatar for Taiki Sugawara taikis
4
1.4k
20251219 OpenIDファウンデーション・ジャパン紹介 / OpenID Foundation Japan Intro
Avatar for OpenID Foundation Japan oidfj
0
390
AWS re:Invent 2025~初参加の成果と学び~
Avatar for Kubo kubomasataka
0
170
SQLだけでマイグレーションしたい!
Avatar for MakKi makki_d
0
1.2k
たまに起きる外部サービスの障害に備えたり備えなかったりする話
Avatar for Sohei Iwahori egmc
0
360
1人1サービス開発しているチームでのClaudeCodeの使い方
Avatar for おーしろ noayaoshiro
2
550
ペアーズにおけるAIエージェント 基盤とText to SQLツールの紹介
Avatar for Hikaru Sasamoto hisamouna
2
1.3k
さくらのクラウド開発ふりかえり2025
Avatar for kazeburo kazeburo
2
180
IAMユーザーゼロの運用は果たして可能なのか
Avatar for Yuuki Yamashita yama3133
2
520
Bedrock AgentCore Memoryの新機能 (Episode) を試してみた / try Bedrock AgentCore Memory Episodic functionarity
Avatar for hoshi7_n hoshi7_n
2
1.4k
フィッシュボウルのやり方 / How to do a fishbowl
Avatar for Pauli pauli
2
340
障害対応訓練、その前に
Avatar for coconala_engineer coconala_engineer
0
150

Featured

See All Featured
Claude Code どこまでも/ Claude Code Everywhere
Avatar for nwiizo nwiizo
61
47k
How Software Deployment tools have changed in the past 20 years
Avatar for Geshan Manandhar geshan
0
29k
How STYLIGHT went responsive
Avatar for nonsquared nonsquared
100
6k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
Avatar for Sophie Logan marketingsoph
0
40
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
51
51k
Amusing Abliteration
Avatar for ianozsvald ianozsvald
0
64
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.2k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.6k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
127
17k
How to Grow Your eCommerce with AI & Automation
Avatar for Katarina Dahlin katarinadahlin
PRO
0
69
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k

Transcript

  1. #safedjango @phildini Safe-ish by Default The Django Security Model and

    How to Make it Better Philip James

  2. #safedjango @phildini Who’s this guy?

  3. #safedjango @phildini How We Use Django at Eventbrite

  4. #safedjango @phildini Safe-ish? #safedjango @phildini

  5. #safedjango @phildini XSS

  6. #safedjango @phildini <script>alert(‘hello’)</script> &lt;script&gt;alert(&#39;hello&#39;)&lt;/script&gt;

  7. #safedjango @phildini return mark_safe( force_text(text).replace('&', '&amp;').replace('<', ‘&lt;').replace( '>', '&gt;').replace('"', '&quot;').replace("'",

    ‘&#39;') )

  8. #safedjango @phildini mark_safe(), | n, | safe

  9. #safedjango @phildini CSRF

  10. #safedjango @phildini CsrfViewMiddleware

  11. #safedjango @phildini if request is a POST: get csrf_token from

    cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

  12. #safedjango @phildini def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)

    wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)

  13. #safedjango @phildini if request is a POST and not view.csrf_exempt:

    get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

  14. #safedjango @phildini Sidenote: Cookies

  15. #safedjango @phildini SQLi

  16. #safedjango @phildini Don't ever confuse code and data, it's the

    key to happiness - Alex Gaynor

  17. #safedjango @phildini .extra(), RawSQL()

  18. #safedjango @phildini Clickjacking

  19. #safedjango @phildini XFrameOptionsMiddleware

  20. #safedjango @phildini Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari

    4+ Chrome 4.1+

  21. #safedjango @phildini Host Header Validation

  22. #safedjango @phildini get_host()

  23. #safedjango @phildini if domain and in ALLOWED_HOSTS: proceed else: raise

    error

  24. #safedjango @phildini Sessions

  25. #safedjango @phildini Passwords

  26. #safedjango @phildini How Can We Make This Safer?

  27. #safedjango @phildini Constant Vigilance!

  28. #safedjango @phildini HTTPS

  29. #safedjango @phildini What Does EB Do?

  30. #safedjango @phildini CSP Reporting

  31. #safedjango @phildini EBSecure

  32. #safedjango @phildini crypter = Crypter.Read("/path/to/your/keys") ciphertext = crypter.Encrypt("Secret message")

  33. #safedjango @phildini crypter = EBSecure(keyname) secret = crypter.encrypt(value.encode('utf8')

  34. #safedjango @phildini django_encrypted_fields https://github.com/defrex/django-encrypted-fields

  35. #safedjango @phildini Other Resources

  36. #safedjango @phildini django-secure http://django-secure.readthedocs.org/en/v0.1.2/

  37. #safedjango @phildini Pony Checkup https://www.ponycheckup.com/

  38. #safedjango @phildini Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/

  39. #safedjango @phildini Thanks! Questions?