DEV Community

Security tips for Djangonauts

Lucky you, you user of the web framework for perfectionists with deadlines (AKA Django). The Django team has put a lot of thought into their security practice. I have summarized some of the best tips to keep your Django project secure. See all ten tips here

Throttle user authentications

Django provides a lot of security features baked in, but the authentication system does not inherently protect against brute force attacks. A malicious actor could hit your system with numerous login attempts, and potentially get in.

If this kind of attack is of concern for your project, use a project like Django Defender to lock out users after too many login attempts.

Protect your source code

Protecting your source code may seem to be an obvious step, but it is a multi-faceted step and is, therefore, worth exploring. One way to protect your source code is to make sure that it is not included in your web server’s root directory. If it is, there is a possibility that it is served or that, part of it, is executed in a way that you had not planned.

And although it goes without saying, if your project is sensitive, be sure to use a private repository on GitHub, Bitbucket, or Gitlab. Also, make sure to never check your secrets into your version control system, regardless of whether you intend to use a private repo. It is possible that a private repository does not always stay private and someone with access to a private repo cannot always be trusted.

Use raw queries and custom SQL with caution

While it is tempting to write raw sql queries and custom SQL, doing so may open the door for an attack. Django’s object-relational-mapping (ORM) framework is designed to make querying your database easy. Querysets are constructed using query paramatization. The query's parameters have been abstracted away from the query's sql code. A user attempting to perform a sql injection (execute arbitrary sql on a database) is going to find it much harder if you always use the ORM.

Django does allow the use of raw queries, but their use is not recommended. If you do use them, take extra care to properly escape any parameters. If you find the Django ORM to be insufficient for your needs, it is possible to use a different ORM within Django. SQLAlchemy is an example of an ORM that can be used with Django. If there is an ORM that better suits your project, making use of it is preferable to writing large amounts of raw sql.

Don’t let the perfect get in the way of the good

Every security step you take is a step in the right direction. Django may be for perfectionists with deadlines, but code doesn’t have to be perfect to reap security benefits. Implementing the concepts discussed above, to the best of your ability, can dramatically improve the security of your code and result in a healthier, more resilient project. Happy coding, Pythonistas!


I am a Developer Advocate at Snyk. This post originally appeared on the Snyk blog, with even more security tips. Find the full article here as well as a easily shareable pdf.

Top comments (1)

Collapse
 
sobolevn profile image
Nikita Sobolev • Edited

I would really recommend to try wemake-django-template for your next project. It is a boilerplate focused on code quality and security.

There are several features I would love to highlight:

  • Dependencies are checked on every CI run with safety
  • Insecure dependencies are automatically updated with snyk and dependendabot
  • Bruteforce protection by django-axes
  • Smart and safe http headers with django-csp, django-http-referrer-policy, and django-feature-policy
  • Safe password hashers: bcrypt and argon
  • Static analysis with wemake-python-styleguide and bandit
  • Respecting builtin django's security checks in CI
  • Enforced HTTPs by default
  • And many others! Including documentation with best practices and common problems

GitHub logo wemake-services / wemake-django-template

Bleeding edge django template focused on code quality and security.

wemake-django-template

wemake.services Awesome Build status Documentation Status Dependencies Status wemake-python-styleguide

Bleeding edge django2.2 template focused on code quality and security.


Purpose

This project is used to scaffold a django project structure Just like django-admin.py startproject but better.

Features

Installation

Firstly, you will need to install dependencies:

pip install cookiecutter jinja2-git

Then, create a project itself:

cookiecutter gh:wemake-services/wemake-django-template

Who are using this template?

If you use our template, please add yourself or your company in the list.

We offer free email support for anyone who is using this If you have any problems or questions,…

Check it out!