Web application security
Web application security is the process of shielding websites and online services against security threats that leave an application exposed. Web application security is essential in protecting a user’s data from a malicious user who plans to cause harm to that data.
What is Django and how it stands
Django is a python-based open-sourced web framework that follows an MVT (Model-View-Template) architectural pattern. It is a batteries-included framework that is inherently secure, but there are still a few things that need to be ‘tweaked’ in order to fully utilize Django’s defense capabilities.
1) Debug = False
Please, please, please never deploy your application with DEBUG = TRUE on. Ensure that DEBUG is set to False. If you don’t do this then Django will expose all your settings and environment variables when an exception occurs.
# settings.py DEBUG = FALSE
2) Deployment checklist
The next important step is to run the below command in your terminal. You will then see information pertaining to your Django web application. This is very useful in giving you a quick breakdown of the major issues that require your attention before you go through with deployment. For those of you that like to get ahead early in the game, give those security messages a quick google.
python manage.py check --deploy
3) Cross-site Scripting (XSS)
Cross-site scripting attacks involve an attacker injecting a malicious script into your application. If an XSS attack is carried out, attackers may be able to steal your user's sensitive information. Luckily for you, you can minimize the damage of XSS attacks by adding the following lines:
# settings.py SECURE_BROWSER_XSS_FILTER = True SECURE_CONTENT_TYPE_NOSNIFF = True
4) SSL redirect
The below line will ensure that your application redirects all non-HTTPS requests to HTTP.
# settings.py SECURE_SSL_REDIRECT = True
5) Change the default Django admin URL
Someone who is familiar with Django can easily access your admin page, by simply typing in “www.yourwebsite.com/admin” in their browser. Therefore, it is essential that you change your ‘admin/’ URL to something unique and memorable.
Check the before and after code snippets to understand how to change your admin URL.
# urls.py from django.contrib import admin from django.urls import path urlpatterns = [ path('admin/', admin.site.urls) # Default admin URL ]
# urls.py from django.contrib import admin from django.urls import path urlpatterns = [ path('secret-admin/', admin.site.urls) # Updated ]
6) HTTP Strict Transport Security (HSTS)
The below lines will protect your web application from man-in-the-middle attacks and will force a connection over HTTPS.
# settings.py SECURE_HSTS_SECONDS = 86400 SECURE_HSTS_PRELOAD = True SECURE_HSTS_INCLUDE_SUBDOMAINS = True
7) Cross-site request forgery (CSRF) protection
CSRF protection prevents you from accidentally sending your session and your CSRF cookie over HTTP by accident.
Be sure that HTTPS is set up, then add the following lines:
# settings.py SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True
8) Use python-decouple
Your settings.py file will be full of sensitive information. Be sure to use python-decouple to keep everything separate and safe.
To install python-decouple in your application, open up your terminal and type in the following command:
pip install python-decouple
Create a .env file in your repository’s root directory.
As a test, we will store some important data, such as debug and our secret key. So, simply copy + paste your debug and secret key from settings.py as-is into your .env file.
# settings.py DEBUG=False SECRET_KEY='my_secret_key'
If you happen to be using Git be sure to .gitignore your .env file for security purposes.
Next, you need to import the decouple library:
# settings.py from decouple import config
Now we want to get our parameters.
Decouple will always return our data as a string. To solve this problem, we need to cast it to a bool if we are expecting a Boolean or to an int if we are expecting an integer. Go back to your settings.py and modify your existing debug and secret key values with the following:
# settings.py DEBUG = config('DEBUG', cast=bool) SECRET_KEY = config('SECRET_KEY')
9) Content Security Policy (CSP)
A content security policy (CSP) is useful if your web application contains a lot of styles and inline scripts. It can be useful for preventing clickjacking, cross-site scripting, and other types of code injection attacks. Be sure to read online about CSP.
10) Mozilla Observatory
Once you have deployed your application, be sure to check out the Mozilla observatory. It will scan your website for potential security flaws. Once the scan is complete you will get a breakdown of what is good and what needs to be improved, as well as a cool overall score, just like when you received that ‘amazing’ math test back in high school.
11) Research, research, and research
No matter how much effort you put in to protect your website, it will never be 100% secure, but that doesn’t mean you can’t do some research of your own and try to make it as secure as possible.
And that's that! Your Django web application has the basic components that are required for it to be secure. Of course, there are more ways to improve the security of your web application, but you have now implemented the bare minimum that you require.