The internet can be a very dangerous place. One of the reasons for this is that whatever you decide to put online is at risk of being stolen by a malicious attacker. Therefore, you need to be very careful with what you intend to share online with others. Remember that once something is on the internet, it is there forever.
Luckily for us, Django is a very secure back-end framework that already comes with a set of built-in security functionalities. We can then tweak these functionalities to optimize the safety of our Django web application.
The trick is knowing how to do this...
Rule 1 - Set DEBUG to FALSE for production environments
It is essential that you turn off the debug setting when you are about to deploy your Django web app.
This can be done as follows in your settings.py file:
DEBUG = FALSE
Rule 2 - Use environment variables:
Never commit sensitive information to public repositories such as GitHub. This basically means don't add sensitive information to your settings.py file. It is a lot safer to rather make use of environment variables or a python package such as django-environ to hide this information.
Rule 3 - Use sensitive variables:
If you are making use of sensitive information in your variables. A typical example may be a variable such as a credit_card_number, cvc_number or even your pin. It would be best to mark these variables as sensitive, so that Django knows to not show these variables during error handling.
This can be achieved as follows:
from django.views.decorators.debug import sensitive_variables @sensitive_variables('credit_card_number', 'cvc_number', 'pin_number') def process_payment(request): first_name = user.firstname last_name = user.lastname credit_card_number = user.creditcardnumber cvc_number = user.cvcnumber pin_number = user.pinnumber
Rule 4 - Use sensitive post parameters:
If you are concerned about sensitive information being passed through your post parameters.
You can secure it as follows:
from django.views.decorators.debug import sensitive_post_parameters @sensitive_post_parameters('cvc', 'pin') def process_payment(request): cvc_number = request.POST['cvc'], pin_number = request.POST['pin'],