Safe-ish By Default

Transcript

1. #safedjango @phildini Safe-ish by Default The Django Security Model and

   How to Make it Better Philip James

2. #safedjango @phildini Who’s this guy?

3. #safedjango @phildini How We Use Django at Eventbrite

4. #safedjango @phildini Safe-ish? #safedjango @phildini

5. #safedjango @phildini XSS

6. #safedjango @phildini <script>alert(‘hello’)</script> &lt;script&gt;alert(&#39;hello&#39;)&lt;/script&gt;

7. #safedjango @phildini return mark_safe( force_text(text).replace('&', '&amp;').replace('<', ‘&lt;').replace( '>', '&gt;').replace('"', '&quot;').replace("'",

   ‘&#39;') )

8. #safedjango @phildini mark_safe(), | n, | safe

9. #safedjango @phildini CSRF

10. #safedjango @phildini CsrfViewMiddleware

11. #safedjango @phildini if request is a POST: get csrf_token from

    cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

12. #safedjango @phildini def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)

    wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)

13. #safedjango @phildini if request is a POST and not view.csrf_exempt:

    get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

14. #safedjango @phildini Sidenote: Cookies

15. #safedjango @phildini SQLi

16. #safedjango @phildini Don't ever confuse code and data, it's the

    key to happiness - Alex Gaynor

17. #safedjango @phildini .extra(), RawSQL()

18. #safedjango @phildini Clickjacking

19. #safedjango @phildini XFrameOptionsMiddleware

20. #safedjango @phildini Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari

    4+ Chrome 4.1+

21. #safedjango @phildini Host Header Validation

22. #safedjango @phildini get_host()

23. #safedjango @phildini if domain and in ALLOWED_HOSTS: proceed else: raise

    error

24. #safedjango @phildini Sessions

25. #safedjango @phildini Passwords

26. #safedjango @phildini How Can We Make This Safer?

27. #safedjango @phildini Constant Vigilance!

28. #safedjango @phildini HTTPS

29. #safedjango @phildini What Does EB Do?

30. #safedjango @phildini CSP Reporting

31. #safedjango @phildini EBSecure

32. #safedjango @phildini crypter = Crypter.Read("/path/to/your/keys") ciphertext = crypter.Encrypt("Secret message")

33. #safedjango @phildini crypter = EBSecure(keyname) secret = crypter.encrypt(value.encode('utf8')

34. #safedjango @phildini django_encrypted_fields https://github.com/defrex/django-encrypted-fields

35. #safedjango @phildini Other Resources

36. #safedjango @phildini django-secure http://django-secure.readthedocs.org/en/v0.1.2/

37. #safedjango @phildini Pony Checkup https://www.ponycheckup.com/

38. #safedjango @phildini Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/

39. #safedjango @phildini Thanks! Questions?