In this article we shall discuss a point to which we give little importance when we are beginning to programme our application and which, with little details, we can improve significantly. Security!
Nowadays, there are many methods through which a website may find itself in risk of being attacked, in the following link we can see the TOP 10 most common risks according to OWASP . Next, we'll give you a few pieces of advice about security without mentioning those shown on the official django website .
Wappalyzer is an extension which identifies the software running on our website , which allows some bots to exploit known bugs before we can patch our website , for which reason it is advisable to protect our website from this type of extension . In our case, django is detected by the “csrfmiddlewaretoken” whose name we can change, and whose information we can amplify, by following the subsequent guide hide-django-from-wappalyzer .One of the strengths of django is the administration panel , which we can reach by using the default url */admin. A way of hiding this panel and avoiding brute-force attacks is to change this url, which is as a simple as modifying the file urls.py and substituting :
# Default admin urlurl(r'^admin/', admin.site.urls),
# Replace with following url
url(r'^my_secure_admin/', admin.site.urls), Another way of protecting our administration panel would be to make it accessible only from the network where we have the server stored, as it must be remembered that this panel is not designed for end users. We must assure the deactivation of DEBUG in production, otherwise we may gives a great deal of information to visitors with bad intentions. Remember that if we leave DEBUG set to False , we must configure the variable ALLOWED_HOSTS .
Use CRSF protection in forms which modify data, taking advantage of the ease which django gives us with its CSRF middleware “The CSRF middleware and template tag provides easy-to-use protection against Cross Site Request Forgeries ”, for the user we only have to activiate it in our settings as another piece of middleware: 'django.middleware.csrf.CsrfViewMiddleware' ( this should go above any middleware which we assume must stay protected by crsf) and use the templatetag in forms:
<form action="" method="post">{% csrf_token %} Validate all the data which we receive in Django forms. Allow access to page views like Login , Admin , using only the https protocol. If we suspect that our site is at risk of being attacked we can use packets such as: django-admin-honeypot which gives us a fake admin, will save a log and will notify the admins of failed access attempts. Use the templates of django instead of normal html, as this will protect us from the majority of XSS attacks . One way of checking the security errors which we have is by using the command : # With which we will obtain a detailed report about different errors and how to improve them.python manage.py check --deploy Use the orm of django instead of raw whenever possible, and, if necessary to use raw, escape special characters. Another way of checking our Django website if we do not have access to our server may be as simple as accessing the following website: ponycheckup which will give us a report about basic security problems and how to improve them.
Do you know of any other tip that you would like to share with us ?