Scribd
Upload
76 views

Django Web Application Security Checklist 2

This document provides an 11-step checklist for securing a Django web application. It includes recommendations such as setting DEBUG to False, running security checks, protecting against XSS and CSRF attacks, enforcing HTTPS, hiding the admin URL, implementing HTTP Strict Transport Security, and using python-decouple to separate sensitive settings. Finally, it advises developers to research security topics and scan their site with Mozilla Observatory.

Uploaded by

Fernando Rivera
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
76 views

Django Web Application Security Checklist 2

This document provides an 11-step checklist for securing a Django web application. It includes recommendations such as setting DEBUG to False, running security checks, protecting against XSS and CSRF attacks, enforcing HTTPS, hiding the admin URL, implementing HTTP Strict Transport Security, and using python-decouple to separate sensitive settings. Finally, it advises developers to research security topics and scan their site with Mozilla Observatory.

Uploaded by

Fernando Rivera
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Django web application security checklist

Web application security


Web application security is the process of shielding websites and online services against
security threats that leave an application exposed. Web application security is essential in
protecting a user’s data from a malicious user who plans to cause harm to that data.

What is Django and how does it stand


Django is a python-based open-sourced web framework that follows an MVT (Model-View-
Template) architectural pattern. It is a batteries-included framework that is inherently
secure, but there are still a few things that need to be ‘tweaked’ in order to fully utilize
Django’s defense capabilities.

1) Debug = False
Please, please, please never deploy your application with DEBUG = TRUE on. Ensure that
DEBUG is set to False. If you don’t do this then Django will expose all your settings and
environment variables when an exception occurs.

# settings.py

DEBUG = FALSE

2) Deployment checklist
The next important step is to run the below command in your terminal. You will then see
information pertaining to your Django web application. This is very useful in giving you a
quick breakdown of the major issues that require your attention before you go through
with deployment. For those of you that like to get ahead early in the game, give those
security messages a quick google.

python manage.py check — deploy

3) Cross-site Scripting (XSS)


Cross-site scripting attacks involve an attacker injecting a malicious script into your
application. If an XSS attack is carried out, attackers may be able to steal your user’s
sensitive information. Luckily for you, you can minimize the damage of XSS attacks by
adding the following lines:

# settings.py

SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True

4) SSL redirect
The below line will ensure that your application redirects all non-HTTPS requests to HTTP.

# settings.py

SECURE_SSL_REDIRECT = True

5) Change the default Django admin URL


Someone who is familiar with Django can easily access your admin page, by simply typing
in “www.yourwebsite.com/admin" in their browser. Therefore, it is essential that you
change your ‘admin/’ URL to something unique and memorable.

Check the before and after code snippets to understand how to change your admin URL.

Before:

# urls.py

from django.contrib import admin


from django.urls import path

urlpatterns = [
path(‘admin/’, admin.site.urls) # Default admin URL
]

After:

# urls.py

from django.contrib import admin


from django.urls import path
urlpatterns = [
path(‘secret-admin/’, admin.site.urls) # Updated
]

6) HTTP Strict Transport Security (HSTS)


The below lines will protect your web application from man-in-the-middle attacks and will
force a connection over HTTPS.

# settings.py

SECURE_HSTS_SECONDS = 86400
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True

7) Cross-site request forgery (CSRF) protection


CSRF protection prevents you from accidentally sending your session and your CSRF
cookie over HTTP by accident.

Be sure that HTTPS is set up, then add the following lines:

# settings.py

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

8) Use python-decouple
Your settings.py file will be full of sensitive information. Be sure to use python-decouple to
keep everything separate and safe.

Step 1:

To install python-decouple in your application, open up your terminal and type in the
following command:

pip install python-decouple

Step 2:
Create a .env file in your repository’s root directory.

Step 3:

As a test, we will store some important data, such as debug and our secret key. So, simply
copy + paste your debug and secret key from settings.py as-is into your .env file.

DEBUG=False
SECRET_KEY=’my_secret_key’

Step 4:

If you happen to be using Git be sure to .gitignore your .env file for security purposes.

Step 5:

Next, you need to import the decouple library:

# settings.py

from decouple import config

Step 6:

Now we want to get our parameters.

Decouple will always return our data as a string. To solve this problem, we need to cast it to
a bool if we are expecting a Boolean or to an int if we are expecting an integer. Go back to
your settings.py and modify your existing debug and secret key values with the following:

# settings.py

DEBUG = config(‘DEBUG’, cast=bool)


SECRET_KEY = config(‘SECRET_KEY’)

9) Content Security Policy (CSP)


A content security policy (CSP) is useful if your web application contains a lot of styles and
inline scripts. It can be useful for preventing clickjacking, cross-site scripting, and other
types of code injection attacks. Be sure to read online about CSP.

10) Mozilla Observatory


Once you have deployed your application, be sure to check out the Mozilla observatory. It
will scan your website for potential security flaws. Once the scan is complete you will get a
breakdown of what is good and what needs to be improved, as well as a cool overall score,
just like when you received that ‘amazing’ math test back in high school.

Mozilla Observatory
The Mozilla Observatory is a project designed to help developers, system administrators,
and security professionals…

Mozilla Observatory

11) Research, research, and research


No matter how much effort you put in to protect your website, it will never be 100%
secure, but that doesn’t mean you can’t do some research of your own and try to make it as
secure as possible.

And that’s that! Your Django web application has the basic components that are required
for it to be secure. Of course, there are more ways to improve the security of your web
application, but you have now implemented the bare minimum that you require.

You might also like