Django's overall security

[John Madson]

There's been almost no discussion of Django's approach to security,
either on this list, the users list, Trac, or in the documentation.
Web application security is under heavy scrutiny these days and there's
nary a frameout out there that's taking it seriously. This seems like
an opportunity for the Django community to set a positive example.

Now, I don't mean to step on anyone's toes with this suggestion. I'm
sure security was considered in Django's design, and that the last
couple years of production use has been educational in that respect.
But we all know that unforeseen issues crop up when our code is put
under someone else's lens, good intentions or not.

A thorough discussion leading to an audit of Django's security
methodology is, in my mind, essential before the 1.0 milestone. How do
people feel about this?

- John

[Adrian Holovaty]

On 9/14/05, John Madson <jma...@techie.com> wrote:
> A thorough discussion leading to an audit of Django's security
> methodology is, in my mind, essential before the 1.0 milestone. How do
> people feel about this?

Sounds great. Let's do it!

Adrian

--
Adrian Holovaty
holovaty.com | djangoproject.com | chicagocrime.org

[Jacob Kaplan-Moss]

Thanks for the question, John -- I agree that application security is
a *big* deal, and I'm all for setting a positive example! In fact,
one of our motivations in open sourcing Django was to get more eyes
on any potential security risks in Django (if indeed there are any).

Here's what I know about Django's security so far. Although I'm not
by any means a security expert, I do know quite a bit about the
common security holes in web apps (I used to be a PHP programmer --
ick).

First data point: we've been using Django for two years here in
Lawrence, and there have been no security breaches.

Second data point: because we do credit card processing our processor
just subjected us to an intensive security scan. The scan was unable
to find any issues -- even minor ones -- with Django.

Third data point: the critical pieces of Django -- request handling,
file uploads, database querying -- have all been written explicitly
with security in mind. The database layer in particular has been
specifically designed to make it *hard* to write unsafe database
code. Thus, it takes *more* effort to write code vulnerable to
injection attacks than it does to write safe code.

The upshot is that I'm very comfortable saying that we've got one of
the most secure web frameworks out there. Again, I'm not an expert
on security, so please feel free to verify my gut instincts for
yourself. In fact, if there *are* security wonks on this list, I
would *love* some sort of a security audit. If you're volunteering,
John, I'd be thrilled to provide any help I can.

Thanks!

Jacob

[Simon Willison]

One thing that Django would definitely benefit from is support for
simple protection against CSRF attacks. The admin site should have
this turned on by default, and some kind of mechanism for easily
applying it to custom code would be welcome as well.

CSRF attacks are described in detail here:

http://www.squarefree.com/securitytips/web-developers.html#CSRF

(Further info at the bottom of the page)

Basically, if I can trick you in to visiting a page that I control
while you are logged in to Django's admin, and I can guess the URL of
things within that admin, I can add/edit/delete the content on your
site by hiding my own form targeting your admin site on my page and
using JavaScript to get your browser to submit it.

The only guaranteed defence against this attack is to include in
every form a hidden field containing a one-time secret that an
attacker couldn't possibly guess. The secret "proves" that the form
being submitted was originally served by your site, not created by an
imposter.

I've filed a bug to track developments on this: http://
code.djangoproject.com/ticket/510

Cheers,

Simon Willison