[Django] #29025: Security middleware for insecure (HTTP) connections
Django
------------------------------------------+--------------------------
Reporter: Vishwas Mittal | Owner: nobody
Type: New feature | Status: assigned
Component: HTTP handling | Version: 2.0
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------+--------------------------
Hello everyone,
I am starting my contribution to Django and I would like to propose a
security middleware that can provide some layer of security even in HTTP
connections by encrypting the request and response.
Here I will implement an SSL type feature in the backend and will also
provide a corresponding frontend implementation that can be used to
complete the encryption-decryption couple.
Please share your thoughts and valuable suggestions, I will appreciate any
type of help I can get from you.
P.S. This is just a brief intro about the feature, if you like this and
feels something achievable then we can discuss it in detail.
Regards
Vishwas
--
Ticket URL: <https://code.djangoproject.com/ticket/29025>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Vishwas Mittal | Owner: Vishwas Mittal
Type: New feature | Status: assigned
Component: HTTP handling | Version: 2.0
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Vishwas Mittal):
* owner: nobody => Vishwas Mittal
--
Ticket URL: <https://code.djangoproject.com/ticket/29025#comment:1>
Django
Reporter: Vishwas Mittal | Owner: Vishwas Mittal
Component: HTTP handling | Version: 2.0
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Aymeric Augustin):
Why should Django reinvent HTTPS instead of simply recommend to use it?
--
Ticket URL: <https://code.djangoproject.com/ticket/29025#comment:2>
Django
Reporter: Vishwas Mittal | Owner: Vishwas Mittal
Component: HTTP handling | Version: 2.0
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Vishwas Mittal):
Replying to [comment:2 Aymeric Augustin]:
> Why should Django reinvent HTTPS instead of simply recommend to use it?
Sometimes many users (including me) uses their Django server on the
computer only (for local networks) this can pose some problem of security
and sometimes for some servers (say for non-commercial purposes) the
server can be HTTP.
Here I am not saying to use it every time, there can be a check if the
network is not HTTPS then we can use it's protection else just bypass it.
--
Ticket URL: <https://code.djangoproject.com/ticket/29025#comment:3>
Django
Reporter: Vishwas Mittal | Owner: Vishwas Mittal
Component: HTTP handling | Version: 2.0
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Jani Tiainen):
There already exists 3rd party app(s) that does the job.
(https://github.com/teddziuba/django-sslserver being one example).
I don't see much of enhancement over that library and it seems to be
relatively solid implementation for development purposes.
--
Ticket URL: <https://code.djangoproject.com/ticket/29025#comment:4>
Django
Reporter: Vishwas Mittal | Owner: Vishwas Mittal
Component: HTTP handling | Version: 2.0
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Vishwas Mittal):
Replying to [comment:4 Jani Tiainen]:
> There already exists 3rd party app(s) that does the job.
(https://github.com/teddziuba/django-sslserver being one example).
>
> I don't see much of enhancement over that library and it seems to be
relatively solid implementation for development purposes.
>
> And it's standard HTTPS, no need to have anything special "frontend" or
"backend".
Yeah, you are right! I didn't find this type of apps earlier. Thanks for
your suggestions.
--
Ticket URL: <https://code.djangoproject.com/ticket/29025#comment:5>
Django
Reporter: Vishwas Mittal | Owner: Vishwas Mittal
Component: HTTP handling | Version: 2.0
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham):
* status: assigned => closed
* resolution: => wontfix
Comment:
The [https://groups.google.com/d/topic/django-
developers/qtwrmsPkrEM/discussion django-developers discussion] hasn't
yielded a consensus to incorporate this into Django.
--
Ticket URL: <https://code.djangoproject.com/ticket/29025#comment:6>