Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2016 - Philip James - Safe-ish By Default: The Django Security Model and How to Make it Better Security, Intermediate

PyBay
August 21, 2016
Programming
0
110

2016 - Philip James - Safe-ish By Default: The Django Security Model and How to Make it Better Security, Intermediate

Description
Come join us by the fire as we have Security Story Time with our friends, Frog and Toad. With them, you'll learn about all the things Django does to protect users and developers out of the box. We'll look at simplified code samples from the Django codebase to see what's happening under the hood, and cover how to make the Django security model even stronger in your application

Abstract
Introduction to the story, and the characters. Safe-ish: Talk about Django’s Security Model and how it tries to provide sane defaults for developers

Run-through of the parts of the django security model:

* XSS (brief definition). How do you turn it off? Mark Safe, | n, safe
* CSRF (brief definition). Django has middleware that checks POST requests for a token. Token is stored in cookie, also. Side-effect: harder to JS. Also, only an issue if you’re already owned, so maybe not an issue?. How to get around it? csrf_exempt
* SQLi (brief definition). Django’s ORM makes clean sql, (even when given bad data?). How? How to get around it: extra()/RawSQL()
* Clickjacking protection (brief definition). Django has middleware that sets headers browsers are supposed to respect. How to get around it: xframe_options_exempt, xframe_options_deny, xframe_options_sameorigin
* HTTPS. This one is less "out of the box" than the others, so won’t be talked about here.
* Host Header Validation (brief definition). Django verifies against allowed hosts in settings. How? get_host()
* Session security. What are django sessions?. Cookie-based by design. How can we make this better?
* Overall: Vigilance. Be aware of uses of this within your product
* HTTPS: Use it!. Set the correct settings. SECURE_SSL_REDIRECT: How does it work?

Bio
Philip is a Senior Software Engineer at Eventbrite. In his spare time, he writes novels, makes twitter bots, and gives technical talks. He used to run a webcomic, but there's just no money in it, you know? Philip is a refugee from the video games industry, and wishes anyone still there the best of luck. Philip has spoken at conferences about Python, Django, Node.js, and Linux. Philip believes in the web.

https://youtu.be/egXUKENoJA0

PyBay

August 21, 2016
Tweet

More Decks by PyBay

See All by PyBay
2017 - The Packaging Gradient
pybay
2
740
2017 - Building Bridges: Stopping Python 2 without damages
pybay
0
530
2017 - Bringing Python 3 to LinkedIn
pybay
1
470
2017 - Python Debugging with PUDB
pybay
0
480
2017 - Opening up to Open Source
pybay
0
170
2017 - A Gentle Introduction to Text Classification with Deep Learning
pybay
2
140
2017 - Performant Asynchronous Programming at Quora
pybay
1
280
2017 - latus - a Personal Cloud Storage App written in Python
pybay
2
410
2017 - Everything You Ever Wanted to Know About Web Authentication in Python
pybay
3
410

Other Decks in Programming

See All in Programming
Deep Dive into React Stream/Serialize
mugi_uno
3
660
Micro Frontends for Java Microservices - Utah JUG 2024
mraible
PRO
1
110
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
7
970
Netty Chicago Java User Group 2024-04-17
sullis
0
200
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
220
Introducing Kotlin Multiplatform in an existing mobile app - Workshop Edition | AndroidMakers Paris
prof18
0
150
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
27
8.5k
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
140
見た目から始める生産性向上
ikumatadokoro
10
1.4k
Amazon SQSコンシューマー疎結合への旅 - 出張! #DevelopersIO IT技術ブログの中の人が語る勉強会 #3
quiver
0
310
SIMD Parallel Programming with the Vector API
josepaumard
0
230
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
180

Featured

See All Featured
Practical Orchestrator
shlominoach
183
9.7k
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
Building Better People: How to give real-time feedback that sticks.
wjessup
356
18k
Fireside Chat
paigeccino
22
2.6k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
20
1.6k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.2k
10 Git Anti Patterns You Should be Aware of
lemiorhan
649
58k
Designing with Data
zakiwarfel
96
4.8k
Building a Scalable Design System with Sketch
lauravandoore
457
32k
Raft: Consensus for Rubyists
vanstee
133
6.3k
Product Roadmaps are Hard
iamctodd
45
9.7k
Rebuilding a faster, lazier Slack
samanthasiow
74
8.2k

Transcript

  1. #safedjango @phildini Safe-ish by Default The Django Security Model and

    How to Make it Be>er Philip James

  2. #safedjango @phildini Who’s this guy?

  3. #safedjango @phildini I’ve got this great idea for a startup…

  4. #safedjango @phildini Bezos Books • A site for selling books

    • Authors have a form where they can put in book informaLon • That book informaLon gets rendered to a book page • There is a form on the book page for buying the book

  5. #safedjango @phildini (Hint: We’re going to use Django)

  6. #safedjango @phildini Safe-ish?

  7. #safedjango @phildini XSS Cross-Site ScripLng

  8. #safedjango @phildini <script>alert(‘hello’)</script> &lt;script&gt;alert(&#39;hello&#39;)&lt;/script&gt;

  9. #safedjango @phildini return mark_safe( force_text(text) .replace('&', '&amp;') .replace('<', '&lt;') .replace('>',

    '&gt;') .replace('"', '&quot;') .replace("'", '&#39;') )

  10. #safedjango @phildini mark_safe(), | n, | safe

  11. #safedjango @phildini CSRF Cross-Site Request Forgery

  12. #safedjango @phildini CsrfViewMiddleware

  13. #safedjango @phildini if request is a POST: get csrf_token from

    cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

  14. #safedjango @phildini def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)

    wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_a>rs(view_func) )(wrapped_view)

  15. #safedjango @phildini if request is a POST and not view.csrf_exempt:

    get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

  16. #safedjango @phildini Sidenote: Cookies

  17. #safedjango @phildini SQLi SQL InjecLon

  18. #safedjango @phildini Don't ever confuse code and data, it's the

    key to happiness - Alex Gaynor

  19. #safedjango @phildini .extra(), RawSQL()

  20. #safedjango @phildini Clickjacking

  21. #safedjango @phildini XFrameOpLonsMiddleware

  22. #safedjango @phildini Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari

    4+ Chrome 4.1+

  23. #safedjango @phildini Host Header ValidaLon

  24. #safedjango @phildini get_host()

  25. #safedjango @phildini if domain and in ALLOWED_HOSTS: proceed else: raise

    error

  26. #safedjango @phildini Sessions

  27. #safedjango @phildini Passwords

  28. #safedjango @phildini How Can We Make This Safer?

  29. #safedjango @phildini Constant Vigilance!

  30. #safedjango @phildini HTTPS

  31. #safedjango @phildini CSP ReporLng Content Security Policy

  32. #safedjango @phildini django_encrypted_fields h>ps:/ /github.com/defrex/django-encrypted-fields

  33. #safedjango @phildini django-secure h>p:/ /django-secure.readthedocs.org/en/v0.1.2/

  34. #safedjango @phildini Pony Checkup h>ps:/ /www.ponycheckup.com/

  35. #safedjango @phildini Making Django Ridiculously Secure h>p:/ /nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/

  36. #safedjango @phildini Thanks! QuesLons?