Two scoops of Django - Security Best Practices

Transcript

1. 5XP
   4DPPQT
   PG
   %KBOHP Security Best Practices Spin Lai

2. None

3. I. Django Configurations II. Django Security Features III. Django Admin

   IV. What Else ?

4. I. Django Configurations II. Django Security Features III. Django Admin

   IV. What Else ?

5. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY !

6. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOW_HOSTS SECRET_KEY !

   $ python manage.py --settings=[setting path] $ django-admin.py --settings=[setting path] $ export DJANGO_SETTINGS_MODULE=[setting path]

7. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY !

   DEBUG = False ! TEMPLATE_DEBUG = False

8. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY !

   # Must be set when DEBUG = False ALLOWED_HOSTS = [ 'localhost', 'www.example.com', '.example.com', '*' # Avoid ! ]

9. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY !

   ‣ Configuration values, not code. ‣ DO NOT keep them in version control. ‣ Use environment variables.

10. Django Configurations Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY !

    ! def get_env_variable(varname): try: return os.environ[varname] except KeyError: msg = "Set the %s environment variable" % var_name raise ImporperlyConfigured(msg)

11. I. Django Configurations II. Django Security Features III. Django Admin

    IV. What Else ?

12. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking

    Protection SSL / HTTPS Password Storage Data Validation

13. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking

    Protection SSL / HTTPS Password Storage Data Validation ‣ Django by default escapes specific characters ‣ Be careful when using is_safe attribute ‣ Be very careful when storing HTML in Database

14. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking

    Protection SSL / HTTPS Password Storage Data Validation

15. CSRF protection • Django CSRF Protection Workflow • CSRF Protection

    for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt

16. CSRF protection • Django CSRF Protection Workflow • CSRF Protection

    for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() ‣ Random token value by CsrfViewMiddleware (CSRF cookie) ‣ `csrf_token` template tag generate hidden input ‣ Every request calls django.middleware.csrf.get_token() ‣ Compare CSRF cookie with `csrfmiddlewaretoken` value ‣ With HTTPS, CsrfViewMiddleWare will check referer header

17. CSRF protection • Django CSRF Protection Workflow • CSRF Protection

    for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() ‣ Pass CSRF token as POST data with every POST request ‣ Set a custom `X-CSRFToken` header on each request ‣ CSRF cookie might not exist without `csrf_token` tag

18. CSRF protection • Django CSRF Protection Workflow • CSRF Protection

    for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than csrf_protect() • Be careful with csrf_exempt() var origSync = Backbone.sync; Backbone.sync = function (method, model, options) { options.beforeSend = function (xhr) { xhr.setRequestHeader('X-CSRFToken', $.cookie('csrftoken')); }; ! return origSync(method, model, options); };

19. CSRF protection • Django CSRF Protection Workflow • CSRF Protection

    for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt

20. CSRF protection • Django CSRF Protection Workflow • CSRF Protection

    for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt

21. CSRF protection • Django CSRF Protection Workflow • CSRF Protection

    for AJAX Request • HTML Search Form • CsrfViewMiddleware rather than @csrf_protect • Be careful with @csrf_exempt

22. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking

    Protection SSL / HTTPS Password Storage Data Validation

23. Injection protection • Script Injection • SQL Injection

24. Injection protection • Script Injection • SQL Injection ‣Beware of

    the eval(), exec() and execfile() ‣DO NOT use `pickle` module to serialize/deserialize data. ‣Only use safe_load() in PyYAML

25. Injection protection • Script Injection • SQL Injection ‣ Django

    Queryset escape varaibles automatically ‣ Be careful to escape raw SQL properly ‣ Exercise caution when using extra()

26. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking

    Protection SSL / HTTPS Password Storage Data Validation

27. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt

    • Browsers Support

28. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt

    • Browsers Support Whether or not a resource is allowed to load within a frame or iframe

29. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt

    • Browsers Support MIDDLEWARE_CLASSES = ( ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... )

30. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt

    • Browsers Support # Default X_FRAME_OPTIONS = 'SAMEORIGIN' ! X_FRAME_OPTIONS = 'DENY'

31. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt

    • Browsers Support

32. Clickjacking protection • `X-Frame-Options` HTTP header • Configurations • @xframe_options_exempt

    • Browsers Support ‣ Internet Explorer 8+ ‣ Firefox 3.6.9+ ‣ Opera 10.5+ ‣ Safari 4+ ‣ Chrome 4.1+

33. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking

    Protection SSL / HTTPS Password Storage Data Validation

34. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies

    • HSTS • Packages

35. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies

    • HSTS • Packages ‣ Web server configuration ‣ Django middleware ‣ SSL certificate from reputable source

36. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies

    • HSTS • Packages SECURE_PROXY_SSL_HEADER = False ! $ export HTTPS=on

37. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies

    • HSTS • Packages SESSION_COOKIE_SECURE = True ! CSRF_COOKIE_SECURE = True

38. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies

    • HSTS • Packages ‣Redirect HTTP links to HTTPS ‣Web server level configuration ‣HSTS-compliant browsers

39. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies

    • HSTS • Packages Strict-Transport-Security: max-age=31536000, includeSubDomains

40. SSL / HTTPS • HTTPS Everywhere ! • Secure Cookies

    • HSTS • Packages ‣ django-sslify ‣ django-secure ‣ django-hstsmiddleware

41. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking

    Protection SSL / HTTPS Password Storage Data Validation

42. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER

    • Use bcrypt • Increase work factor

43. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER

    • Use bcrypt • Increase work factor

44. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER

    • Use bcrypt • Increase work factor <algorithm>$<iteration>$<salt>$<hash>

45. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER

    • Use bcrypt • Increase work factor PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', 'django.contrib.auth.hashers.MD5PasswordHasher', 'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher', 'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher', 'django.contrib.auth.hashers.CryptPasswordHasher', )

46. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER

    • bcrypt • Increase work factor

47. Password Storage • PBKDF2 + SHA256 • User.password • PASSWORD_HASHER

    • Use bcrypt • Increase work factor

48. Django Security Features XSS Protection CSRF Protection Injection Protection Clickjacking

    Protection SSL / HTTPS Password Storage Data Validation

49. Data Validation • Django Forms • User-Uploaded Content

50. Data Validation • Django Forms • User-Uploaded Content ‣ Designed

    to validate Python dictionaries ‣ Not only for HTTP POST request ‣ DO NOT use ModelForms.Meta.exclude ‣ Use ModelForms.Meta.fields instead

51. Data Validation • Django Forms • User-Uploaded Content from django

    import forms from .models import Store ! class StoreForm(forms.ModelForm): ! class Meta: model = Store # Don't Do this!! excludes = ("pk", "slug", "modified")

52. Data Validation • Django Forms • User-Uploaded Content from django

    import forms from .models import Store ! class StoreForm(forms.ModelForm): ! class Meta: model = Store # Explicitly specifying what we want fields = ("title", "address", "email")

53. Data Validation • Django Forms • User-Uploaded Content ‣ Limit

    upload in web server ‣ FileField / ImageField ‣ python-magic ‣ Validate with specific file type library

54. Data Validation • Django Forms • User-Uploaded Content from django.utils.image

    import Image ! try: Image.open(file).verify() except Exception: # Pillow (or PIL) doesn't recognize it as an image. six.reraise(ValidationError, ValidationError( self.error_messages['invalid_image'], code='invalid_image', ), sys.exc_info()[2])

55. I. Django Configurations II. Django Security Features III. Django Admin

    IV. What Else ?

56. Django Admin Change the Default Admin URL Access Admin via

    HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages

57. Django Admin Change the Default Admin URL Access Admin via

    HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages

58. Django Admin Change the Default Admin URL Access Admin via

    HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages

59. Django Admin Change the Default Admin URL Access Admin via

    HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages ‣ Web server configuration ‣ Django middleware

60. Django Admin Change the Default Admin URL Access Admin via

    HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages

61. Django Admin Change the Default Admin URL Access Admin via

    HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages

62. Django Admin Change the Default Admin URL Access Admin via

    HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages ‣ django-admin-honeypot ‣ django-axes

63. I. Django Configurations II. Django Security Features III. Django Admin

    IV. What Else ?

64. What else ? Harden your servers NEVER store credit card

    data Server monitoring Vulnerability reporting page Keep things up-to-date

65. What else ? Harden your servers NEVER store credit card

    data Server monitoring Vulnerability reporting page Keep things up-to-date

66. What else ? Harden your servers NEVER store credit card

    data Server monitoring Vulnerability reporting page Keep things up-to-date ‣ PCI-DSS Security Standards ‣ Sufficient Time/Resource/Funds ‣ Using 3rd-Party Services ‣ Beware of Open Source Solutions

67. What else ? Harden your servers NEVER store credit card

    data Server monitoring Vulnerability reporting page Keep things up-to-date ‣ Check access/error logs regularly ‣ Install monitoring tools

68. What else ? Harden your servers NEVER store credit card

    data Server monitoring Vulnerability reporting page Keep things up-to-date

69. What else ? Harden your servers NEVER store credit card

    data Server monitoring Vulnerability reporting page Keep things up-to-date

70. What else ? Harden your servers NEVER store credit card

    data Server monitoring Vulnerability reporting page Keep things up-to-date

71. What else ? Harden your servers NEVER store credit card

    data Server monitoring Vulnerability reporting page Keep things up-to-date

72. What else ? Harden your servers NEVER store credit card

    data Server monitoring Vulnerability reporting page Keep things up-to-date

73. Keep Things Up-to-Date • Dependencies • Security Practices

74. Keep Things Up-to-Date • Dependencies • Security Practices https://www.djangoproject.com/weblog/

75. Keep Things Up-to-Date • Dependencies • Security Practices

76. Keep Things Up-to-Date • Dependencies • Security Practices

77. Keep Things Up-to-Date • Dependencies • Security Practices

78. Thank You