Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

Securing Your Django Site

Django Pony

DjangoSD - February 22, 2012

Web security basics: XSS

def testview(request): t = Template("Hello my name is {{ name }}") c = Context({'name': "<script>alert('owned')</script>"}) return HttpResponse(t.render(c))

Safe!

Web security basics: SQL Injection

Post.objects.get(name="'; DELETE FROM blog_post; --")

Obligatory XKCD

Web security basics: CSRF

Explaining CSRF in a one-liner is tough.
Bear with me...

<img src="http://chase.com/xfer?from=you&to=me&amount=1000" />

This security thing is easy...

Security Guard

Double check your exceptions!

.raw()
.extra()
mark_safe()
@csrf_exempt

The Not-So-Basics: Caching

Is this safe?

@cache_page(60 * 15) def my_view(request): ...

Caching: It depends

  • Is your cache backend secure?
  • Shared host?
  • Are you using pickle?
Pickle, not just a fruit anymore

The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

The Not-So-Basics: Passwords

The familiar Django Admin

Passwords (continued)

  • Password sniffing? (HTTPS)
  • No hashed passwords in public source control!
  • Improvements coming in Django 1.4

The Not-So-Basics: Misc

Our first catch of the day

New Django Features: Signing

from django.core.signing import TimestampSigner signer = TimestampSigner() value = signer.sign('time sensitive')
You can still shoot yourself in the foot (or head)

Did I mention to keep your SECRET_KEY a secret?

Securing Your Server

Tools to Secure Your Site

Thanks!

https://docs.djangoproject.com/en/dev/topics/security/