Upload
spin-lai
View
4.184
Download
2
Embed Size (px)
Citation preview
Two Scoops of DjangoSecurity Best Practices
Spin Lai
I. Django Configurations
II. Django Security Features
III. Django Admin
IV. What Else ?
I. Django Configurations
II. Django Security Features
III. Django Admin
IV. What Else ?
Django Configurations
Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY
!
Django Configurations
Designate Settings DEBUG / TEMPLATE_DEBUG ALLOW_HOSTS SECRET_KEY
!$ python manage.py --settings=[setting path]
$ django-admin.py --settings=[setting path]
$ export DJANGO_SETTINGS_MODULE=[setting path]
Django Configurations
Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY
!
DEBUG = False !TEMPLATE_DEBUG = False
Django Configurations
Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY
! # Must be set when DEBUG = False ALLOWED_HOSTS = [ 'localhost', 'www.example.com', '.example.com', '*' # Avoid ! ]
Django Configurations
Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY
!
‣ Configuration values, not code. ‣ DO NOT keep them in version control. ‣ Use environment variables.
Django Configurations
Designate Settings DEBUG / TEMPLATE_DEBUG ALLOWED_HOSTS SECRET_KEY
! !def get_env_variable(varname): try: return os.environ[varname] except KeyError: msg = "Set the %s environment variable" % var_name raise ImporperlyConfigured(msg)
I. Django Configurations
II. Django Security Features
III. Django Admin
IV. What Else ?
Django Security Features
XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Django Security Features
XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
‣ Django by default escapes specific characters ‣ Be careful when using is_safe attribute ‣ Be very careful when storing HTML in Database
Django Security Features
XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than @csrf_protect
• Be careful with @csrf_exempt
CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than csrf_protect()
• Be careful with csrf_exempt()
‣ Random token value by CsrfViewMiddleware (CSRF cookie) ‣ `csrf_token` template tag generate hidden input ‣ Every request calls django.middleware.csrf.get_token() ‣ Compare CSRF cookie with `csrfmiddlewaretoken` value ‣ With HTTPS, CsrfViewMiddleWare will check referer header
CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than csrf_protect()
• Be careful with csrf_exempt()
‣ Pass CSRF token as POST data with every POST request ‣ Set a custom `X-CSRFToken` header on each request ‣ CSRF cookie might not exist without `csrf_token` tag
CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than csrf_protect()
• Be careful with csrf_exempt()
var origSync = Backbone.sync; Backbone.sync = function (method, model, options) { options.beforeSend = function (xhr) { xhr.setRequestHeader('X-CSRFToken', $.cookie('csrftoken')); }; ! return origSync(method, model, options); };
CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than @csrf_protect
• Be careful with @csrf_exempt
CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than @csrf_protect
• Be careful with @csrf_exempt
CSRF protection
• Django CSRF Protection Workflow
• CSRF Protection for AJAX Request
• HTML Search Form
• CsrfViewMiddleware rather than @csrf_protect
• Be careful with @csrf_exempt
Django Security Features
XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Injection protection
• Script Injection
• SQL Injection
Injection protection
• Script Injection
• SQL Injection
‣Beware of the eval(), exec() and execfile() ‣DO NOT use `pickle` module to serialize/deserialize data. ‣Only use safe_load() in PyYAML
Injection protection
• Script Injection
• SQL Injection
‣ Django Queryset escape varaibles automatically ‣ Be careful to escape raw SQL properly ‣ Exercise caution when using extra()
Django Security Features
XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Clickjacking protection
• `X-Frame-Options` HTTP header
• Configurations
• @xframe_options_exempt
• Browsers Support
Clickjacking protection
• `X-Frame-Options` HTTP header
• Configurations
• @xframe_options_exempt
• Browsers Support
Whether or not a resource is allowed to load within a frame or iframe
Clickjacking protection
• `X-Frame-Options` HTTP header
• Configurations
• @xframe_options_exempt
• Browsers SupportMIDDLEWARE_CLASSES = ( ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... )
Clickjacking protection
• `X-Frame-Options` HTTP header
• Configurations
• @xframe_options_exempt
• Browsers Support# Default X_FRAME_OPTIONS = 'SAMEORIGIN' !X_FRAME_OPTIONS = 'DENY'
Clickjacking protection
• `X-Frame-Options` HTTP header
• Configurations
• @xframe_options_exempt
• Browsers Support
Clickjacking protection
• `X-Frame-Options` HTTP header
• Configurations
• @xframe_options_exempt
• Browsers Support
‣ Internet Explorer 8+ ‣ Firefox 3.6.9+ ‣ Opera 10.5+ ‣ Safari 4+ ‣ Chrome 4.1+
Django Security Features
XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
SSL / HTTPS
• HTTPS Everywhere !
• Secure Cookies
• HSTS
• Packages
SSL / HTTPS
• HTTPS Everywhere !
• Secure Cookies
• HSTS
• Packages
‣ Web server configuration ‣ Django middleware ‣ SSL certificate from reputable source
SSL / HTTPS
• HTTPS Everywhere !
• Secure Cookies
• HSTS
• Packages
SECURE_PROXY_SSL_HEADER = False !$ export HTTPS=on
SSL / HTTPS
• HTTPS Everywhere !
• Secure Cookies
• HSTS
• PackagesSESSION_COOKIE_SECURE = True !CSRF_COOKIE_SECURE = True
SSL / HTTPS
• HTTPS Everywhere !
• Secure Cookies
• HSTS
• Packages
‣Redirect HTTP links to HTTPS ‣Web server level configuration ‣HSTS-compliant browsers
SSL / HTTPS
• HTTPS Everywhere !
• Secure Cookies
• HSTS
• Packages
Strict-Transport-Security: max-age=31536000, includeSubDomains
SSL / HTTPS
• HTTPS Everywhere !
• Secure Cookies
• HSTS
• Packages ‣ django-sslify ‣ django-secure ‣ django-hstsmiddleware
Django Security Features
XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Password Storage
• PBKDF2 + SHA256
• User.password
• PASSWORD_HASHER
• Use bcrypt
• Increase work factor
Password Storage
• PBKDF2 + SHA256
• User.password
• PASSWORD_HASHER
• Use bcrypt
• Increase work factor
Password Storage
• PBKDF2 + SHA256
• User.password
• PASSWORD_HASHER
• Use bcrypt
• Increase work factor
<algorithm>$<iteration>$<salt>$<hash>
Password Storage
• PBKDF2 + SHA256
• User.password
• PASSWORD_HASHER
• Use bcrypt
• Increase work factor
PASSWORD_HASHERS = ( 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher', 'django.contrib.auth.hashers.BCryptPasswordHasher', 'django.contrib.auth.hashers.SHA1PasswordHasher', 'django.contrib.auth.hashers.MD5PasswordHasher', 'django.contrib.auth.hashers.UnsaltedSHA1PasswordHasher', 'django.contrib.auth.hashers.UnsaltedMD5PasswordHasher', 'django.contrib.auth.hashers.CryptPasswordHasher', )
Password Storage
• PBKDF2 + SHA256
• User.password
• PASSWORD_HASHER
• bcrypt
• Increase work factor
Password Storage
• PBKDF2 + SHA256
• User.password
• PASSWORD_HASHER
• Use bcrypt
• Increase work factor
Django Security Features
XSS Protection CSRF Protection Injection Protection Clickjacking Protection SSL / HTTPS Password Storage Data Validation
Data Validation
• Django Forms
• User-Uploaded Content
Data Validation
• Django Forms
• User-Uploaded Content‣ Designed to validate Python dictionaries ‣ Not only for HTTP POST request ‣ DO NOT use ModelForms.Meta.exclude ‣ Use ModelForms.Meta.fields instead
Data Validation
• Django Forms
• User-Uploaded Contentfrom django import forms from .models import Store !class StoreForm(forms.ModelForm): ! class Meta: model = Store # Don't Do this!! excludes = ("pk", "slug", "modified")
Data Validation
• Django Forms
• User-Uploaded Contentfrom django import forms from .models import Store !class StoreForm(forms.ModelForm): ! class Meta: model = Store # Explicitly specifying what we want fields = ("title", "address", "email")
Data Validation
• Django Forms
• User-Uploaded Content
‣ Limit upload in web server ‣ FileField / ImageField ‣ python-magic ‣ Validate with specific file type library
Data Validation
• Django Forms
• User-Uploaded Content
from django.utils.image import Image !try: Image.open(file).verify() except Exception: # Pillow (or PIL) doesn't recognize it as an image. six.reraise(ValidationError, ValidationError( self.error_messages['invalid_image'], code='invalid_image', ), sys.exc_info()[2])
I. Django Configurations
II. Django Security Features
III. Django Admin
IV. What Else ?
Django Admin
Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin
Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin
Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin
Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
‣ Web server configuration ‣ Django middleware
Django Admin
Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin
Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
Django Admin
Change the Default Admin URL Access Admin via HTTPS Limited Access Based on IP Use `allow_tags` attribute with Caution Admin Docs Packages
‣ django-admin-honeypot ‣ django-axes
I. Django Configurations
II. Django Security Features
III. Django Admin
IV. What Else ?
What else ?
Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ?
Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ?
Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
‣ PCI-DSS Security Standards ‣ Sufficient Time/Resource/Funds ‣ Using 3rd-Party Services ‣ Beware of Open Source Solutions
What else ?
Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
‣ Check access/error logs regularly ‣ Install monitoring tools
What else ?
Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ?
Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ?
Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ?
Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
What else ?
Harden your servers NEVER store credit card data Server monitoring Vulnerability reporting page Keep things up-to-date
Keep Things Up-to-Date
• Dependencies
• Security Practices
Keep Things Up-to-Date
• Dependencies
• Security Practiceshttps://www.djangoproject.com/weblog/
Keep Things Up-to-Date
• Dependencies
• Security Practices
Keep Things Up-to-Date
• Dependencies
• Security Practices
Keep Things Up-to-Date
• Dependencies
• Security Practices
Thank You