Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

Securing Your Django Site

Django Pony

DjangoSD - February 22, 2012

Web security basics: XSS

def testview(request): t = Template("Hello my name is {{ name }}") c = Context({'name': "<script>alert('owned')</script>"}) return HttpResponse(t.render(c))


Web security basics: SQL Injection

Post.objects.get(name="'; DELETE FROM blog_post; --")

Obligatory XKCD

Web security basics: CSRF

Explaining CSRF in a one-liner is tough.
Bear with me...

<img src="" />

This security thing is easy...

Security Guard

Double check your exceptions!


The Not-So-Basics: Caching

Is this safe?

@cache_page(60 * 15) def my_view(request): ...

Caching: It depends

  • Is your cache backend secure?
  • Shared host?
  • Are you using pickle?
Pickle, not just a fruit anymore

The Not-So-Basics: Passwords

The familiar Django Admin

Passwords (continued)

  • Password sniffing? (HTTPS)
  • No hashed passwords in public source control!
  • Improvements coming in Django 1.4

The Not-So-Basics: Misc

Our first catch of the day

New Django Features: Signing

from django.core.signing import TimestampSigner signer = TimestampSigner() value = signer.sign('time sensitive')

You can still shoot yourself in the foot (or head)

Securing Your Server

Tools to Secure Your Site