How to make Django Application more secure
48 views
Skip to first unread message
Balaji Shetty
Dec 31, 2019, 9:39:45 AM12/31/19
to django...@googlegroups.com
Hi
--
Mr Shetty Balaji
Asst. Prof.
IT Department
SGGS I&T
Nanded. My. India
How can we provide best security to Django Application hosted on Pythonanywhere cloud.
--
Mr Shetty Balaji
Asst. Prof.
IT Department
SGGS I&T
Nanded. My. India
Jody Fitzpatrick
Jan 2, 2020, 11:38:53 AM1/2/20
to Django users
Django by itself is fairly secure, it's your coding that makes it not secure and the resources you use.
1.) Don't use simple passwords.
1.) Don't use simple passwords.
2.) Don't use /admin/ as your admin location. Do change it. - install something like honeypot to catch people trying to gain access to admin
3.) Don't forget you have decorators that can help keep thing secure like login_required and various others.
4.) Don't use hard coded sensitive data like.) hash keys, api keys, use environment variables.
4.) Don't use hard coded sensitive data like.) hash keys, api keys, use environment variables.
5.) Maintain backups, the more frequent your data changes the more frequent you should backup.
Hope this helps you some.
Balaji Shetty
Jan 2, 2020, 12:11:03 PM1/2/20
to django...@googlegroups.com
Dear Jody
Thank you very much.
Entire Application built in backend is more secure than templates using view??
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/823dc144-b7ee-44b3-b8d6-a1677f344728%40googlegroups.com.
Jody Fitzpatrick
Jan 2, 2020, 2:30:14 PM1/2/20
to Django users
Hi Balaji
It's not necessarily template views.
Let's come up with a scenario so you can see.
Let's assume you have an order form, and your customers can view that order form by viewing:
yoururl.com/orders/?order_id=101
You think it's okay - after all the customer has to login and view their order.
In your backend you use something like
There is a couple of problems with this.
You should NEVER use numbers as your IDs that your user sees.
-- You can potentially let competitors know how many customers you have, or how many many orders you processed.
But wait, if you look at the query - and I have seen this before... the query is not checking to see if the current user has permission to view the order...
it just grabs the record with the ID
Now assume that the end user changes 101 to 102, and to 103 -- if these records exist. They are going to get the data.
use something like uuid as your primary key to prevent this...
Also, add ownership to your queries, ex.) (id=customer_id, customer=request.user)
Let's come up with a scenario so you can see.
Let's assume you have an order form, and your customers can view that order form by viewing:
yoururl.com/orders/?order_id=101
You think it's okay - after all the customer has to login and view their order.
In your backend you use something like
customer_order_id = request.GET.get('order_id')
order = CustomerOrder.objects.get(id=customer_order_id)
There is a couple of problems with this.
You should NEVER use numbers as your IDs that your user sees.
-- You can potentially let competitors know how many customers you have, or how many many orders you processed.
But wait, if you look at the query - and I have seen this before... the query is not checking to see if the current user has permission to view the order...
it just grabs the record with the ID
Now assume that the end user changes 101 to 102, and to 103 -- if these records exist. They are going to get the data.
use something like uuid as your primary key to prevent this...
Also, add ownership to your queries, ex.) (id=customer_id, customer=request.user)
Shaheed Haque
Jan 2, 2020, 11:36:48 PM1/2/20
to django...@googlegroups.com
Hi,
As a noob, I realised the "scope security" aspect but it took a LOT longer to realise that Django's ORM has a nice pattern which can be of use here. The idea is to use queries rooted on the user. Using Jody's example, observe that there must be an FK between the request.user and CustomerOrder.customer.
That means that the query could be written like this:
order = request.user.customerorder_set.get(...)
AFAIK there is no performance penalty to using this style and it seems to me like a good habit to adopt (I'd be interested to hear if the experts think differently?).
Thanks, Shaheed
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/343105a0-4bd3-42f0-ba0d-c41d2482f9e0%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages