Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DjangoCon Europe 2012 Keynote: Make Me Make Good Choices

jesstess
June 06, 2012
1
200

DjangoCon Europe 2012 Keynote: Make Me Make Good Choices

jesstess

June 06, 2012
Tweet

Featured

See All Featured
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
322
20k
How STYLIGHT went responsive
nonsquared
92
4.8k
Building Effective Engineering Teams - LeadDev
addyosmani
28
1.8k
What the flash - Photography Introduction
edds
64
11k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
4 Signs Your Business is Dying
shpigford
175
21k
Web development in the modern age
philhawksworth
202
10k
Product Roadmaps are Hard
iamctodd
44
9.7k
How to train your dragon (web standard)
notwaldorf
73
5.2k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Writing Fast Ruby
sferik
621
60k

Transcript

  1. <screen reader demo>

  2. Make me make good choices Education and best practices by

    default for novice web developers Jessica McKellar http://jesstess.com

  3. Accessibility Internationalization Security

  4. Accessibility

  5. Accessibility Visual Motor Auditory Cognitive

  6. None

  7. Protanopia: no red cones

  8. Deuteranopia: no green cones

  9. Tritanopia: no blue cones

  10. None
  11. None

  12. Visual Accessibility • 7-10% of Caucasian men have some form

    of color blindness (back of the envelope ~250 million men worldwide) • 2.6% of the global population is visually impaired (~285 million people) http://www.hhmi.org/senses/b130.html http://www.who.int/mediacentre/factsheets/fs28 2/en/index.html

  13. Accessibility Guidelines • World Wide Web Consortium's Web Accessibility Initiative

    http://www.w3.org/WAI/ • (USA) Section 508 Amendment to the Rehabilitation Act of 1973 http://www.section508.gov/

  14. Accessibility Guidelines • Alt-text on images • Accessible intra- and

    inter-page navigation • Audio and video accessibility: captions, transcriptions • Indicate important information with more than color alone • Accessible forms: labels, proximity of prompting text • Degrading JavaScript gracefully

  15. https://docs.djangoproject.com/en/dev/intro/overview/

  16. https://www.djangoproject.com/community/badges/

  17. https://docs.djangoproject.com/en/dev/ref/templates/builtins/

  18. https://docs.djangoproject.com/en/dev/howto/static-files/

  19. Accessibility Guidelines • Alt-text on images • Accessible intra- and

    inter-page navigation • Audio and video accessibility: captions, transcriptions • Indicate important information with more than color alone • Accessible forms: labels, proximity of prompting text • Degrading JavaScript gracefully
  20. None

  21. https://addons.mozilla.org/en-US/firefox/addon/wcag- contrast-checker/

  22. Django Accessibility • Set a good example: audit ourselves •

    Websites • Conferences! • Accessibility tutorial? • Accessibility checklist? • Warnings on easily correctible issues? How can Django help people like me avoid, detect, and address accessibility issues?

  23. Security

  24. Security Education Conservative defaults

  25. Cross site scripting (XSS) • “Improper or insufficient neutralization of

    user-controllable input before it is placed in output that is used as a web page that is served to other users.” • #4 on MITRE's “Top 25 Most Dangerous Software Errors”

  26. Cross site scripting (XSS) http://myawesomesite.com/welcome.php? username=<script>alert("Malicious code");</script> $username = $_GET['username'];

    echo '<div class="header"> Welcome, ' . $username . '</div>';

  27. XSS protection in Django • Autoescaping enabled by default since

    2007 • https://docs.djangoproject.com/en/1.4/topics/se curity/#cross-site-scripting-xss-protection /path/? name=<script>alert('XSS');</script> /path/? name=&lt;script&gt;alert(&apos;XSS&apos ;);&lt;/script&gt;

  28. Cross site request forgery (CSRF) • “The web application does

    not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.” • #12 on MITRE's “Top 25 Most Dangerous Software Errors”

  29. Cross site request forgery (CSRF) <img src="http://bank.example.com/withdraw? account=audrey&amount=1000000&for=jess ica">

  30. CSRF protection in Django • Easy to enable • Thoughtful

    about testing • Flexible in how you opt in or out • Great documentation, even mentioned in tutorial (part 4) • https://docs.djangoproject.com/en/1.4/ref/contri b/csrf/ <form action="." method="post">{% csrf_token %}

  31. s

  32. CSRF protection in Django • Easy to enable, but I

    need to be told that I have to do this! <form action="." method="post">{% csrf_token %}

  33. SQL injection attacks • “Improper or insufficient neutralization of user-controllable

    input used in a SQL command.” • #1 on MITRE's “Top 25 Most Dangerous Software Errors”

  34. SQL injection attacks "SELECT * FROM items WHERE owner =

    '" + userName + "' AND itemname = '" + itemName + "'"; SELECT * FROM items WHERE owner = 'wiley' AND itemname = 'name'; DELETE FROM items; --'

  35. SQL injection protection in Django • “By using Django's querysets,

    the resulting SQL will be properly escaped by the underlying database driver.” • Remaining opportunities for injection: • Raw queries • Custom SQL

  36. https://docs.djangoproject.com/en/dev/top ics/db/sql/#executing-custom-sql It IS really tempting!

  37. Is SQL injection a problem in Django?

  38. Clickjacking • “Occurs when a malicious site tricks a user

    into clicking on a concealed element of another site which they have loaded in a hidden frame or iframe.”

  39. Clickjacking protection in Django • New in 1.4, awesome! •

    Easy to enable, but I need to be told that I have to do this!

  40. Leaky cookies • “If a browser connects initially via HTTP,

    which is the default for most browsers, it is possible for existing cookies to be leaked.”

  41. Cookie security in Django SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True

    • These are both False by default

  42. django-secure “Helping you remember to do the stupid little things

    to improve your Django site's security.” http://pypi.python.org/pypi/django-secure

  43. Django Security • Even more conservative defaults? • Security as

    part of the overview and tutorial? • Security tutorial? • Security checklist? • Sprint idea: public Django projects audit How can Django help people like me avoid, detect, and address security issues?

  44. Internationalization

  45. • Localization • Translation • Time zones https://docs.djangoproject.com/en/dev/topics/i18n/

  46. Django natively supports Unicode data everywhere. https://docs.djangoproject.com/en/dev/ref/unicode/

  47. django.contrib.auth.models.User

  48. django.contrib.auth.models.User • This is a HARD problem to address. Thank

    you django-developers for sticking with it! • Over 6 years of thoughtful discussion • https://groups.google.com/d/topic/django- developers/PLTW8Mon9QU/discussion • https://code.djangoproject.com/ticket/3011

  49. Jóhanna Sigurðardóttir Prime Minister of Iceland

  50. Ban Ki-moon Secretary- General of the United Nations

  51. V. Anand current World Chess Champion = Viswanathan

  52. Juan Ramón Jiménez Mantecón, poet and Nobel laureate

  53. http://www.w3.org/International/ques tions/qa-personal-names

  54. None

  55. Django Internationalization • Set a good example: audit ourselves •

    Websites • Conferences! • Internationalization tutorial? • Internationalization checklist? How can Django help people like me avoid, detect, and address internationalization issues?

  56. Identity

  57. https://docs.djangoproject.com/en/dev/ref/forms/widgets/

  58. https://docs.djangoproject.com/en/dev/topics/db/models/

  59. https://docs.djangoproject.com/en/dev/ref/models/fields/

  60. Accessibility Internationalization Security

  61. Make me make good choices Education and best practices by

    default for novice web developers Jessica McKellar http://jesstess.com