3 min read

Django web application security checklist

Django web application security checklist
Photo by Maxim Zhgulev / Unsplash

Web application security

Web application security is the process of shielding websites and online services against security threats that leave an application exposed. Web application security is essential in protecting a user’s data from a malicious user who plans to cause harm to that data.

What is Django and how it stands

Django is a python-based open-sourced web framework that follows an MVT (Model-View-Template) architectural pattern. It is a batteries-included framework that is inherently secure, but there are still a few things that need to be ‘tweaked’ in order to fully utilize Django’s defense capabilities.

1) Debug = False

Please, please, please never deploy your application with DEBUG = TRUE on. Ensure that DEBUG is set to False. If you don’t do this then Django will expose all your settings and environment variables when an exception occurs.

# settings.py

DEBUG = FALSE

2) Deployment checklist

The next important step is to run the below command in your terminal. You will then see information pertaining to your Django web application. This is very useful in giving you a quick breakdown of the major issues that require your attention before you go through with deployment. For those of you that like to get ahead early in the game, give those security messages a quick google.

python manage.py check --deploy

3) Cross-site Scripting (XSS)

Cross-site scripting attacks involve an attacker injecting a malicious script into your application. If an XSS attack is carried out, attackers may be able to steal your user's sensitive information. Luckily for you, you can minimize the damage of XSS attacks by adding the following lines:

# settings.py

SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True

4) SSL redirect

The below line will ensure that your application redirects all non-HTTPS requests to HTTP.

# settings.py

SECURE_SSL_REDIRECT = True

5) Change the default Django admin URL

Someone who is familiar with Django can easily access your admin page, by simply typing in “www.yourwebsite.com/admin” in their browser. Therefore, it is essential that you change your ‘admin/’ URL to something unique and memorable.

Check the before and after code snippets to understand how to change your admin URL.

# urls.py

from django.contrib import admin
from django.urls import path

urlpatterns = [
   path('admin/', admin.site.urls) # Default admin URL
]

After:

# urls.py

from django.contrib import admin
from django.urls import path

urlpatterns = [
    path('secret-admin/', admin.site.urls) # Updated 
]

6) HTTP Strict Transport Security (HSTS)

The below lines will protect your web application from man-in-the-middle attacks and will force a connection over HTTPS.

# settings.py

SECURE_HSTS_SECONDS = 86400
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True

7) Cross-site request forgery (CSRF) protection

CSRF protection prevents you from accidentally sending your session and your CSRF cookie over HTTP by accident.

Be sure that HTTPS is set up, then add the following lines:

# settings.py

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

8) Use python-decouple

Your settings.py file will be full of sensitive information. Be sure to use python-decouple to keep everything separate and safe.

Step 1:

To install python-decouple in your application, open up your terminal and type in the following command:

pip install python-decouple

Step 2:

Create a .env file in your repository’s root directory.

Step 3:

As a test, we will store some important data, such as debug and our secret key. So, simply copy + paste your debug and secret key from settings.py as-is into your .env file.

# settings.py

DEBUG=False
SECRET_KEY='my_secret_key'


Step 4:

If you happen to be using Git be sure to .gitignore your .env file for security purposes.

Step 5:

Next, you need to import the decouple library:

# settings.py

from decouple import config

Step 6:

Now we want to get our parameters.

Decouple will always return our data as a string. To solve this problem, we need to cast it to a bool if we are expecting a Boolean or to an int if we are expecting an integer. Go back to your settings.py and modify your existing debug and secret key values with the following:

# settings.py

DEBUG = config('DEBUG', cast=bool) 
SECRET_KEY = config('SECRET_KEY')

9) Content Security Policy (CSP)

A content security policy (CSP) is useful if your web application contains a lot of styles and inline scripts. It can be useful for preventing clickjacking, cross-site scripting, and other types of code injection attacks. Be sure to read online about CSP.

10) Mozilla Observatory

Once you have deployed your application, be sure to check out the Mozilla observatory. It will scan your website for potential security flaws. Once the scan is complete you will get a breakdown of what is good and what needs to be improved, as well as a cool overall score, just like when you received that ‘amazing’ math test back in high school.

👉 https://observatory.mozilla.org/

11) Research, research, and research

No matter how much effort you put in to protect your website, it will never be 100% secure, but that doesn’t mean you can’t do some research of your own and try to make it as secure as possible.

Good luck!

And that's that! Your Django web application has the basic components that are required for it to be secure. Of course, there are more ways to improve the security of your web application, but you have now implemented the bare minimum that you require.