Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Safe-ish By Default
Search
Philip James
December 10, 2015
Technology
0
82
Safe-ish By Default
The Django Security Model and How to Make it Better
Philip James
December 10, 2015
Tweet
Share
More Decks by Philip James
See All by Philip James
Frog and Toad Learn about Django Security - NBT6
phildini
0
26
The Elephant and the Serpent (PyLatam 2019)
phildini
0
67
Account Security for the Fashionable App Developer
phildini
1
66
All in the Timing: Side-Channel Attacks
phildini
0
61
Giving Thanks
phildini
0
45
All in the Timing: Side-Channel Attacks in Python
phildini
0
420
API-Driven Django
phildini
1
390
Type uWSGI; Press Enter; What Happens?
phildini
0
97
Type uWSGI; Press Enter; What Happens?
phildini
1
75
Other Decks in Technology
See All in Technology
AIに全任せしないコーディングとマネジメント思考
kikuchikakeru
0
280
Kiro Hookを Terraformで検証
ao_inoue
0
140
ファインディにおける Dataform ブランチ戦略
hiracky16
0
220
AI によるドキュメント処理を加速するためのOCR 結果の永続化と再利用戦略
tomoaki25
0
130
M365アカウント侵害時の初動対応
lhazy
7
5.1k
今日からあなたもGeminiを好きになる
subaruhello
1
660
MCPに潜むセキュリティリスクを考えてみる
milix_m
1
880
分散トレーシングによる コネクティッドカーのデータ処理見える化の試み
thatsdone
0
270
AI人生苦節10年で会得したAIがやること_人間がやること.pdf
shibuiwilliam
1
210
公開初日に個人環境で試した Gemini CLI 体験記など / Gemini CLI実験レポート
you
PRO
3
660
Snowflake のアーキテクチャは本当に筋がよかったのか / Data Engineering Study #30
indigo13love
0
290
With Devin -AIの自律とメンバーの自立
kotanin0
2
840
Featured
See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Designing Experiences People Love
moore
142
24k
Stop Working from a Prison Cell
hatefulcrawdad
271
21k
RailsConf 2023
tenderlove
30
1.2k
The Straight Up "How To Draw Better" Workshop
denniskardys
235
140k
The Invisible Side of Design
smashingmag
301
51k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
860
The Pragmatic Product Professional
lauravandoore
35
6.8k
Adopting Sorbet at Scale
ufuk
77
9.5k
Embracing the Ebb and Flow
colly
86
4.8k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.7k
Practical Orchestrator
shlominoach
189
11k
Transcript
#safedjango @phildini Safe-ish by Default The Django Security Model and
How to Make it Better Philip James
#safedjango @phildini Who’s this guy?
#safedjango @phildini How We Use Django at Eventbrite
#safedjango @phildini Safe-ish? #safedjango @phildini
#safedjango @phildini XSS
#safedjango @phildini <script>alert(‘hello’)</script> <script>alert('hello')</script>
#safedjango @phildini return mark_safe( force_text(text).replace('&', '&').replace('<', ‘<').replace( '>', '>').replace('"', '"').replace("'",
‘'') )
#safedjango @phildini mark_safe(), | n, | safe
#safedjango @phildini CSRF
#safedjango @phildini CsrfViewMiddleware
#safedjango @phildini if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
#safedjango @phildini def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_attrs(view_func) )(wrapped_view)
#safedjango @phildini if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
#safedjango @phildini Sidenote: Cookies
#safedjango @phildini SQLi
#safedjango @phildini Don't ever confuse code and data, it's the
key to happiness - Alex Gaynor
#safedjango @phildini .extra(), RawSQL()
#safedjango @phildini Clickjacking
#safedjango @phildini XFrameOptionsMiddleware
#safedjango @phildini Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
#safedjango @phildini Host Header Validation
#safedjango @phildini get_host()
#safedjango @phildini if domain and in ALLOWED_HOSTS: proceed else: raise
error
#safedjango @phildini Sessions
#safedjango @phildini Passwords
#safedjango @phildini How Can We Make This Safer?
#safedjango @phildini Constant Vigilance!
#safedjango @phildini HTTPS
#safedjango @phildini What Does EB Do?
#safedjango @phildini CSP Reporting
#safedjango @phildini EBSecure
#safedjango @phildini crypter = Crypter.Read("/path/to/your/keys") ciphertext = crypter.Encrypt("Secret message")
#safedjango @phildini crypter = EBSecure(keyname) secret = crypter.encrypt(value.encode('utf8')
#safedjango @phildini django_encrypted_fields https://github.com/defrex/django-encrypted-fields
#safedjango @phildini Other Resources
#safedjango @phildini django-secure http://django-secure.readthedocs.org/en/v0.1.2/
#safedjango @phildini Pony Checkup https://www.ponycheckup.com/
#safedjango @phildini Making Django Ridiculously Secure http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/
#safedjango @phildini Thanks! Questions?