Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Safe-ish By Default
Search
Philip James
December 10, 2015
Technology
89
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Safe-ish By Default
The Django Security Model and How to Make it Better
Philip James
December 10, 2015
More Decks by Philip James
See All by Philip James
Frog and Toad Learn about Django Security - NBT6
phildini
0
35
The Elephant and the Serpent (PyLatam 2019)
phildini
0
75
Account Security for the Fashionable App Developer
phildini
1
75
All in the Timing: Side-Channel Attacks
phildini
0
79
Giving Thanks
phildini
0
50
All in the Timing: Side-Channel Attacks in Python
phildini
0
430
API-Driven Django
phildini
1
440
Type uWSGI; Press Enter; What Happens?
phildini
0
120
Type uWSGI; Press Enter; What Happens?
phildini
1
97
Other Decks in Technology
See All in Technology
なぜ人は自分のプロジェクトを 「なんちゃってアジャイル」と 自嘲するのか
kozotaira
0
260
アラート調査向けAIエージェントの本番導入とその後/AI Agents for Alert Investigation: Production Deployment and After
taddy_919
1
390
小さいから、全部わかる。— 常駐AI "xangi" のすすめ
sugupoko
0
270
アカウントが増えてからでは遅い? ~ マルチアカウント統制の勘所 ~
kenichinakamura
0
150
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
11k
CSに"SLO"は要らない、経営層に"99.9%"は伝わらない - SREを全社に"翻訳"する3原則
cscengineer
PRO
0
2.3k
Road to SRE NEXTの今までとこれから
hiroyaonoe
0
130
AIペネトレーションテスト・ セキュリティ検証「AgenticSec」紹介資料
laysakura
2
8k
そのタスクオンスケですか?
poropinai1966
0
140
DMM.com 購入改善推進チーム におけるCodeRabbitを用いた レビューフロー改善の一例
ysknsid25
1
300
CIで使うClaude
iwatatomoya
0
110
NDIAS CTF 2026 問題解説会資料
bata_24
0
180
Featured
See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
128
18k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
23k
Getting science done with accelerated Python computing platforms
jacobtomlinson
2
250
The World Runs on Bad Software
bkeepers
PRO
72
12k
4 Signs Your Business is Dying
shpigford
187
22k
How to Talk to Developers About Accessibility
jct
2
280
Designing for humans not robots
tammielis
254
26k
Site-Speed That Sticks
csswizardry
13
1.2k
Exploring anti-patterns in Rails
aemeredith
3
440
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
280
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
180
We Have a Design System, Now What?
morganepeng
55
8.2k
Transcript
#safedjango @phildini Safe-ish by Default The Django Security Model and
How to Make it Better Philip James
#safedjango @phildini Who’s this guy?
#safedjango @phildini How We Use Django at Eventbrite
#safedjango @phildini Safe-ish? #safedjango @phildini
#safedjango @phildini XSS
#safedjango @phildini <script>alert(‘hello’)</script> <script>alert('hello')</script>
#safedjango @phildini return mark_safe( force_text(text).replace('&', '&').replace('<', ‘<').replace( '>', '>').replace('"', '"').replace("'",
‘'') )
#safedjango @phildini mark_safe(), | n, | safe
#safedjango @phildini CSRF
#safedjango @phildini CsrfViewMiddleware
#safedjango @phildini if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
#safedjango @phildini def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)
#safedjango @phildini if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
#safedjango @phildini Sidenote: Cookies
#safedjango @phildini SQLi
#safedjango @phildini Don't ever confuse code and data, it's the
key to happiness - Alex Gaynor
#safedjango @phildini .extra(), RawSQL()
#safedjango @phildini Clickjacking
#safedjango @phildini XFrameOptionsMiddleware
#safedjango @phildini Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
#safedjango @phildini Host Header Validation
#safedjango @phildini get_host()
#safedjango @phildini if domain and in ALLOWED_HOSTS: proceed else: raise
error
#safedjango @phildini Sessions
#safedjango @phildini Passwords
#safedjango @phildini How Can We Make This Safer?
#safedjango @phildini Constant Vigilance!
#safedjango @phildini HTTPS
#safedjango @phildini What Does EB Do?
#safedjango @phildini CSP Reporting
#safedjango @phildini EBSecure
#safedjango @phildini crypter = Crypter.Read("/path/to/your/keys") ciphertext = crypter.Encrypt("Secret message")
#safedjango @phildini crypter = EBSecure(keyname) secret = crypter.encrypt(value.encode('utf8')
#safedjango @phildini django_encrypted_fields https://github.com/defrex/django-encrypted-fields
#safedjango @phildini Other Resources
#safedjango @phildini django-secure http://django-secure.readthedocs.org/en/v0.1.2/
#safedjango @phildini Pony Checkup https://www.ponycheckup.com/
#safedjango @phildini Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/
#safedjango @phildini Thanks! Questions?