Security middleware for django for insecure (http) connections

122 views
Skip to first unread message

Vishwas Mittal

unread,
Jan 15, 2018, 6:03:00 PM1/15/18
to Django developers (Contributions to Django itself)
Hello everyone,

I am a new contributor to django, and would like to propose a new middleware to django that can provide some degree of security for HTTP connections by encrypting the data to be sent in response.

This middleware will work on the principles of HTTPS but the main difference is there will no certification authority involved.

This will include the middleware inplementation and also a user side code/ implementaion which can be used to complete the encryption-decryption couple.

Please present your thoughts and make necessary suggestions regarding this.


Regards
Vishwas

Shai Berger

unread,
Jan 16, 2018, 2:17:45 AM1/16/18
to django-d...@googlegroups.com
Hi Vishwas,

Can you state the circumstances in which this middleware will be
useful? Note that with the help of Let's Encrypt[1], a HTTPS
certificate is freely available to anyone, so there is no financial
barrier to using it.

Over and beyond the subject matter, is there anything preventing
implementation of your proposed middleware as an external package?
If there is, please let us know, perhaps there is a missing API we
need to add. If there isn't, then it would be better to do it that way
first -- so your method can be tested in real use before we consider
putting it into the framework.

Hope this helps,
Shai.

[1] https://letsencrypt.org/

Jani Tiainen

unread,
Jan 16, 2018, 9:01:00 AM1/16/18
to django-d...@googlegroups.com
Hi,

Also there exists HTTPS devserver (at least one is
https://github.com/teddziuba/django-sslserver ) which does it's job
pretty well. Used it when had to demonstrate javascript location
services (which do require HTTPS at least on chrome).

So I'm pretty convinced that this subject can be done without changes to
Django core to demonstrate it's usefulness in real world use cases.
--
Jani Tiainen

Josh Smeaton

unread,
Jan 16, 2018, 6:52:18 PM1/16/18
to Django developers (Contributions to Django itself)
HTTPS is enough. Despite that, how would you handle the **client** doing decryption and encryption? I don't think this is an idea you should pursue, especially if your expertise is not in security.
Reply all
Reply to author
Forward
0 new messages