Frog and Toad Learn About Django Security

Philip James

Wednesday 1:30 p.m.–2:20 p.m.
Audience level: Intermediate or Advanced

Description

Come join us by the fire as we have Security Story Time with our friends, Frog and Toad. With them, you'll learn about all the things Django does to protect users and developers out of the box. We'll look at simplified code samples from the Django codebase to see what's happening under the hood, and cover how to make the Django security model even stronger in your application.

Abstract

Django Security Talk Notes

  • Introduction
    • Philip James, how long I’ve worked with Python and Django, background at EB
  • Introduction to the story, and the characters
  • Safe-ish: Talk about Django’s Security Model and how it tries to provide sane defaults for developers

  • Run-through of the parts of the django security model

    • XSS (brief definition)

      • Django escapes characters by default

      • How?

      • How do you turn it off? Mark Safe, | n, safe

    • CSRF (brief definition)

      • Django has middleware that checks POST requests for a token

      • How?

      • Token is stored in cookie, also

      • Could be better? Make cookie httponly

      • Side-effect: harder to JS. Also, only an issue if you’re already owned, so maybe not an issue?

      • How to get around it? csrf_exempt

    • SQLi (brief definition)

      • Django’s ORM makes clean sql, (even when given bad data?)

      • How?

      • How to get around it: extra()/RawSQL()

    • Clickjacking protection (brief definition)

      • Django has middleware that sets headers browsers are supposed to respect

      • Which browsers? https://docs.djangoproject.com/en/1.8/ref/clickjacking/#limitations

      • How to get around it: xframe_options_exempt, xframe_options_deny, xframe_options_sameorigin

    • HTTPS

      • This one is less "out of the box" than the others, so won’t be talked about here.

    • Host Header Validation (brief definition)

      • Django verifies against allowed hosts in settings

      • How? get_host()

    • Session security

      • What are django sessions?

      • Cookie-based by design

  • How can we make this better?

Buy your conference and tutorial tickets here! Tutorials are $150 per session.