Django Security Resources

Posted January 09, 2012

Security is a complex beast and is not just limited to the application level (i.e., your Django project); there are several layers above and below your web app where a security hole could be disastrous for you or your users. Only a full security audit from a competent security professional can tell you if your site is secure.

That said, I hope this post will help ensure your Django site is reasonably secure. I am by no means an expert in web application security, and this post is as much for my own reference as it is for yours. I will try to keep this information up to date as time goes on. If you have any suggestions, please let me know.

Literature

Django Documentation — Security in Django

The Django Book — Chapter 20: Security

Django Apps

django-admin-honeypot — "A fake Django admin login screen to notify admins of attempted unauthorized access." (Disclaimer: I made this.)

django-axes — "A very simple way for you to keep track of failed login attempts, both for the Django admin and for the rest of your site." Useful for throttling login attempts and preventing brute-force password attacks.

django-bcrypt — "Makes it easy to use bcrypt to hash passwords with Django. You should be using bcrypt."

django-secure — "Helping you remember to do the stupid little things to improve your Django site's security."

django-xframeoptions — Django middleware to add the X-Frame-Options HTTP header to prevent clickjacking attacks.

Presentations

Advanced Security Topics, DjangoCon 2011 [video] — "An in-depth look (with demonstrations) at the how and why of several advanced security topics. Discussion of ways to improve security of the framework moving forward."

Django Web Application Security [slides]

This post is filed under django and security.