DRF with Rich Text

[Yoo]

Hi, I'm gonna be using Django Rest Framework for API with a Postgres stack and not developing with website. Coding apps in Swift and Androidx Java. Users can POST rich text, or text that uses HTML, to the server, and then other users can GET that HTML and view it in (ui)TextView.

Based on previous experience, it seemed like Android's TextView wouldn't have any trouble with XSS or the like. Not sure about Swift, so can someone tell me if I should worry on the iOS side? 

Last thing. Because this is just an API, how does DRF protect my server against some malicious JSON POST request? A request that isn't sent from the designated app or is hand-crafted. If DRF doesn't somehow serialize correctly, then there would be some server issues, right? Gah worrying.

TL;DR. Programming mobile with DRF. Should I worry about Rich Text (HTML Editing) on client and/or server side?

[Aditya Singh]

Hi,

Hope you are good.

Django ships with top of the line CSRF protection first of all, Secondly, you may specify domain specific headers and strictly restrict the expected type of data, cookies timeout, response data type from the server to the client. Also, you may leverage several robust django compatible packages which relate to security and prevent any requests to the API whiah are unauthorized. From unauthorized, I feel obliged to mention that you must make sure that all the endpoints in your api are well defined and that all the methods being executed on those corresponding endpoints need strong authentication.

Hope, I could be of some help,

Kind regards,

Aditya

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/6c6b92e2-7e49-42f8-abe5-d05b1d0f4619%40googlegroups.com.

[Yoo]

Hi,

Thanks for the prompt response (and sorry for such a late one). I suppose I'm simply asking about JSON in general and DRF validation. Using the general serializer (serializer.Serializers), DRF validates the JSON itself, right? So, if some malicious person sent Python code via the JSON using some kind of escape char, then DRF responds with an error, right?

Otherwise, is there some Django util that can deal with this? Because the API is just an endpoint. All someone has to do (at least in this project) is send a JWT Access token alongside some throttling. Can you point out some Headers that I can use? Is it possible to use some kind of app (i.e. android + iOS) signature?

Thank you! 

To unsubscribe from this group and stop receiving emails from it, send an email to django...@googlegroups.com.

[Jonathan Mrutu]

You must secure your endpoints with authentication mechanism and on top of that you might consider using

 django-rest-knox

//Jona

To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/a6ea2741-061c-4392-af73-6e9ff4dc5a16%40googlegroups.com.