Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Safe-ish By Default
Search
Philip James
December 10, 2015
Technology
0
81
Safe-ish By Default
The Django Security Model and How to Make it Better
Philip James
December 10, 2015
Tweet
Share
More Decks by Philip James
See All by Philip James
Frog and Toad Learn about Django Security - NBT6
phildini
0
19
The Elephant and the Serpent (PyLatam 2019)
phildini
0
42
Account Security for the Fashionable App Developer
phildini
1
59
All in the Timing: Side-Channel Attacks
phildini
0
48
Giving Thanks
phildini
0
39
All in the Timing: Side-Channel Attacks in Python
phildini
0
370
API-Driven Django
phildini
1
320
Type uWSGI; Press Enter; What Happens?
phildini
0
93
Type uWSGI; Press Enter; What Happens?
phildini
1
73
Other Decks in Technology
See All in Technology
ビジネスとエンジニアリングの接合点 そしてコード品質がそこに及ぼす影響 v1.1 / The Intersections of Business and Engineering, and The Impact of Code Quality There (v1.1)
mtx2s
11
2.4k
「ふりかえりのふりかえり」をふりかえり、実のあるふりかえりにする
naitosatoshi
0
200
プロダクト開発における ソフトウェアサプライチェーンセキュリティ: 実践的フレームワークとその活用 / Software Supply Chain Security in Product Development: Practical Framework and their applications
nttcom
1
310
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
1
630
CSSDAY 2024
kevinshallvari
0
180
「共通基盤」を超えよ! 今、Platform Engineeringに取り組むべき理由
jacopen
25
5.6k
SREとその組織類型
tatsuo48
8
1.4k
Let's get started with Ruby && Rails Tips
sinsoku
0
190
Signals Unleashed: The Full Guide
rainerhahnekamp
0
350
社内勉強会運営のコツ
senoo
6
1.1k
プロデザ! BY リクルート vol.18_リクルートのリサーチ実践組織「リサーチブーストコミュニティ」
recruitengineers
PRO
2
210
The CloudCompare project by Dr. Daniel Girardeau-Montaut
kentaitakura
0
480
Featured
See All Featured
Bash Introduction
62gerente
604
210k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
118
38k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
990
We Have a Design System, Now What?
morganepeng
42
6.7k
Side Projects
sachag
451
41k
Designing Experiences People Love
moore
135
23k
Web development in the modern age
philhawksworth
201
10k
Visualization
eitanlees
135
14k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
103
6.6k
RailsConf 2023
tenderlove
0
530
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Transcript
#safedjango @phildini Safe-ish by Default The Django Security Model and
How to Make it Better Philip James
#safedjango @phildini Who’s this guy?
#safedjango @phildini How We Use Django at Eventbrite
#safedjango @phildini Safe-ish? #safedjango @phildini
#safedjango @phildini XSS
#safedjango @phildini <script>alert(‘hello’)</script> <script>alert('hello')</script>
#safedjango @phildini return mark_safe( force_text(text).replace('&', '&').replace('<', ‘<').replace( '>', '>').replace('"', '"').replace("'",
‘'') )
#safedjango @phildini mark_safe(), | n, | safe
#safedjango @phildini CSRF
#safedjango @phildini CsrfViewMiddleware
#safedjango @phildini if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
#safedjango @phildini def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)
#safedjango @phildini if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
#safedjango @phildini Sidenote: Cookies
#safedjango @phildini SQLi
#safedjango @phildini Don't ever confuse code and data, it's the
key to happiness - Alex Gaynor
#safedjango @phildini .extra(), RawSQL()
#safedjango @phildini Clickjacking
#safedjango @phildini XFrameOptionsMiddleware
#safedjango @phildini Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
#safedjango @phildini Host Header Validation
#safedjango @phildini get_host()
#safedjango @phildini if domain and in ALLOWED_HOSTS: proceed else: raise
error
#safedjango @phildini Sessions
#safedjango @phildini Passwords
#safedjango @phildini How Can We Make This Safer?
#safedjango @phildini Constant Vigilance!
#safedjango @phildini HTTPS
#safedjango @phildini What Does EB Do?
#safedjango @phildini CSP Reporting
#safedjango @phildini EBSecure
#safedjango @phildini crypter = Crypter.Read("/path/to/your/keys") ciphertext = crypter.Encrypt("Secret message")
#safedjango @phildini crypter = EBSecure(keyname) secret = crypter.encrypt(value.encode('utf8')
#safedjango @phildini django_encrypted_fields https://github.com/defrex/django-encrypted-fields
#safedjango @phildini Other Resources
#safedjango @phildini django-secure http://django-secure.readthedocs.org/en/v0.1.2/
#safedjango @phildini Pony Checkup https://www.ponycheckup.com/
#safedjango @phildini Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/
#safedjango @phildini Thanks! Questions?