Lucky you, you user of the web framework for perfectionists with deadlines (AKA Django). The Django team has put a lot of thought into their security practice. I have summarized some of the best tips to keep your Django project secure. See all ten tips here
Throttle user authentications
Django provides a lot of security features baked in, but the authentication system does not inherently protect against brute force attacks. A malicious actor could hit your system with numerous login attempts, and potentially get in.
If this kind of attack is of concern for your project, use a project like Django Defender to lock out users after too many login attempts.
Protect your source code
Protecting your source code may seem to be an obvious step, but it is a multi-faceted step and is, therefore, worth exploring. One way to protect your source code is to make sure that it is not included in your web serverβs root directory. If it is, there is a possibility that it is served or that, part of it, is executed in a way that you had not planned.
And although it goes without saying, if your project is sensitive, be sure to use a private repository on GitHub, Bitbucket, or Gitlab. Also, make sure to never check your secrets into your version control system, regardless of whether you intend to use a private repo. It is possible that a private repository does not always stay private and someone with access to a private repo cannot always be trusted.
Use raw queries and custom SQL with caution
While it is tempting to write raw sql queries and custom SQL, doing so may open the door for an attack. Djangoβs object-relational-mapping (ORM) framework is designed to make querying your database easy. Querysets are constructed using query paramatization. The query's parameters have been abstracted away from the query's sql code. A user attempting to perform a sql injection (execute arbitrary sql on a database) is going to find it much harder if you always use the ORM.
Django does allow the use of raw queries, but their use is not recommended. If you do use them, take extra care to properly escape any parameters. If you find the Django ORM to be insufficient for your needs, it is possible to use a different ORM within Django. SQLAlchemy is an example of an ORM that can be used with Django. If there is an ORM that better suits your project, making use of it is preferable to writing large amounts of raw sql.
Donβt let the perfect get in the way of the good
Every security step you take is a step in the right direction. Django may be for perfectionists with deadlines, but code doesnβt have to be perfect to reap security benefits. Implementing the concepts discussed above, to the best of your ability, can dramatically improve the security of your code and result in a healthier, more resilient project. Happy coding, Pythonistas!
I am a Developer Advocate at Snyk. This post originally appeared on the Snyk blog, with even more security tips. Find the full article here as well as a easily shareable pdf.
Top comments (1)
I would really recommend to try wemake-django-template for your next project. It is a boilerplate focused on code quality and security.
There are several features I would love to highlight:
safety
snyk
anddependendabot
django-axes
django-csp
,django-http-referrer-policy
, anddjango-feature-policy
bcrypt
andargon
bandit
wemake-services / wemake-django-template
Bleeding edge django template focused on code quality and security.
wemake-django-template
Bleeding edge
django2.2
template focused on code quality and security.Purpose
This project is used to scaffold a
django
project structure Just likedjango-admin.py startproject
but better.Features
python3.7+
build
,test
, anddeploy
pipeline configured by defaulthttp/2
turned on by defaultInstallation
Firstly, you will need to install dependencies:
Then, create a project itself:
Who are using this template?
If you use our template, please add yourself or your company in the list.
We offer free email support for anyone who is using this If you have any problems or questions,β¦
Check it out!