kicking security Goals
By: Colin Rolfe
@colin_rolfe
Warnings and disclaimers
- I am not an expert/lawyer
- None of this is legal advice
- This guide is by no means comprehensive
- We're not going to talk about BREACH or the NSA
Django does a good job!
- Stacks up well against the OWASP top 10
- http://pyvideo.org/video/2203/building-secure-web-apps-python-vs-the-owasp-top
- Security releases are a fact of life, but fewer than others
- It's usually tough, but still possible to shoot yourself in the foot
Pentesting: Rails vs Django
http://levigross.github.io/penetration-testing-django-and-rails/
What do you mean there's no SSL?!
What do I need to do?
- Get an SSL certificate (preferably a wildcard)
- Install it
- Configure your web server to use it
- Do yourself a favour and use site-wide SSL
ssl enaged, time for lunch!
Not quite yet.
Watch this video
Insecure Cookies
-
User1 has no guarantee they are talking to your site
- An attacker can intercept and modify requests
- Even with SSL, the initial handshake is over HTTP by default
Strict transport security
- Header that instructs browser to only request site over HTTPS
- Eliminates the problem just described
-
add_header Strict-Transport-Security max-age=31536000;
- https://github.com/carljm/django-secure/
Enable clickjacking protection
Prevents your site from being served in an iframe on some other site.#Uncomment the next line for simple clickjacking protection
'DJANGO.MIDDLEWARE.CLICKJACKING.XFRAMEOPTIONSMIDDLEWARE'
Turned on by default in Django 1.6?
Set content-security-policy
- Header that prevents XSS by whitelisting domains that can serve 3rd party JavaScript
- Relies on the browser to enforce it
- Requires a bit of tinkering to get right
- https://github.com/mozilla/django-csp
be careful with that api!
- Finally! A place you can shoot yourself in the foot!
- Make damn sure you are cleaning any user submitted data
- Sounds simple, but easy to forget
- Writing your own API code is probably a very bad idea...
- ...unless you're Curtis :)
How can I test some of these changes?
- SSL-specific: https://www.ssllabs.com/ssltest/analyze.html
- Django-specific: http://ponycheckup.com
deck
By Colin Rolfe
deck
- 967