Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Safe-ish By Default
Search
Philip James
December 10, 2015
Technology
0
82
Safe-ish By Default
The Django Security Model and How to Make it Better
Philip James
December 10, 2015
Tweet
Share
More Decks by Philip James
See All by Philip James
Frog and Toad Learn about Django Security - NBT6
phildini
0
26
The Elephant and the Serpent (PyLatam 2019)
phildini
0
67
Account Security for the Fashionable App Developer
phildini
1
66
All in the Timing: Side-Channel Attacks
phildini
0
61
Giving Thanks
phildini
0
45
All in the Timing: Side-Channel Attacks in Python
phildini
0
420
API-Driven Django
phildini
1
400
Type uWSGI; Press Enter; What Happens?
phildini
0
97
Type uWSGI; Press Enter; What Happens?
phildini
1
78
Other Decks in Technology
See All in Technology
TypeScript入門
recruitengineers
PRO
16
4.7k
サービスロボット最前線:ugoが挑むPhysical AI活用
kmatsuiugo
0
190
認知戦の理解と、市民としての対抗策
hogehuga
0
360
実践データベース設計 ①データベース設計概論
recruitengineers
PRO
2
240
VPC Latticeのサービスエンドポイント機能を使用した複数VPCアクセス
duelist2020jp
0
230
Goでマークダウンの独自記法を実装する
lag129
0
210
Goss: New Production-Ready Go Binding for Faiss #coefl_go_jp
bengo4com
0
1.1k
新規案件の立ち上げ専門チームから見たAI駆動開発の始め方
shuyakinjo
0
120
Claude Code x Androidアプリ 開発
kgmyshin
1
580
EKS Pod Identity における推移的な session tags
z63d
1
200
LLMエージェント時代に適応した開発フロー
hiragram
1
410
kintone開発チームの紹介
cybozuinsideout
PRO
0
73k
Featured
See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Designing Experiences People Love
moore
142
24k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.1k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
50
5.5k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
1k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.4k
BBQ
matthewcrist
89
9.8k
How to Ace a Technical Interview
jacobian
279
23k
Transcript
#safedjango @phildini Safe-ish by Default The Django Security Model and
How to Make it Better Philip James
#safedjango @phildini Who’s this guy?
#safedjango @phildini How We Use Django at Eventbrite
#safedjango @phildini Safe-ish? #safedjango @phildini
#safedjango @phildini XSS
#safedjango @phildini <script>alert(‘hello’)</script> <script>alert('hello')</script>
#safedjango @phildini return mark_safe( force_text(text).replace('&', '&').replace('<', ‘<').replace( '>', '>').replace('"', '"').replace("'",
‘'') )
#safedjango @phildini mark_safe(), | n, | safe
#safedjango @phildini CSRF
#safedjango @phildini CsrfViewMiddleware
#safedjango @phildini if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
#safedjango @phildini def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)
#safedjango @phildini if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
#safedjango @phildini Sidenote: Cookies
#safedjango @phildini SQLi
#safedjango @phildini Don't ever confuse code and data, it's the
key to happiness - Alex Gaynor
#safedjango @phildini .extra(), RawSQL()
#safedjango @phildini Clickjacking
#safedjango @phildini XFrameOptionsMiddleware
#safedjango @phildini Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
#safedjango @phildini Host Header Validation
#safedjango @phildini get_host()
#safedjango @phildini if domain and in ALLOWED_HOSTS: proceed else: raise
error
#safedjango @phildini Sessions
#safedjango @phildini Passwords
#safedjango @phildini How Can We Make This Safer?
#safedjango @phildini Constant Vigilance!
#safedjango @phildini HTTPS
#safedjango @phildini What Does EB Do?
#safedjango @phildini CSP Reporting
#safedjango @phildini EBSecure
#safedjango @phildini crypter = Crypter.Read("/path/to/your/keys") ciphertext = crypter.Encrypt("Secret message")
#safedjango @phildini crypter = EBSecure(keyname) secret = crypter.encrypt(value.encode('utf8')
#safedjango @phildini django_encrypted_fields https://github.com/defrex/django-encrypted-fields
#safedjango @phildini Other Resources
#safedjango @phildini django-secure http://django-secure.readthedocs.org/en/v0.1.2/
#safedjango @phildini Pony Checkup https://www.ponycheckup.com/
#safedjango @phildini Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/
#safedjango @phildini Thanks! Questions?