SECURITY TIPS, DJANGO DEVELOPER

Securing Django-powered applications

October 27, 2021

A popular high-level Python framework, Django, is widely lauded for its ease-of-use and pragmatic design. It is considered to be a mature web framework with a good reputation for security. However, with malpractices shaking the internet world and web security in an evolving stage, it is susceptible to its share of critical vulnerabilities.

Be it web / desktop / Android / iOS application, security is vital. Sensitive Data Exposure vulnerabilities occur when web applications are not properly protected. When an application is not protected, an attacker can access passwords, payment card information, and authentication credentials.

Therefore, the onus is on the developer to effectively manage both local defaults and customized production settings.

In this article, (continuation to my previous article on Django ), we will be discussing certain key security issues that need to be addressed in Python-Django-based applications.

Security threats common to Django Applications

SQL Injection

It is a common attack where malicious SQL queries are used to access the information from the target site’s database that was not intended to be displayed to any user. A simple login API can be used for SQL injection where SQL queries are passed inside the username and password field.

CSRF

CSRF means cross-site request forgery where a different website is used to make a request to your vulnerable website. On the success of this attack, the attacker can control the actions of the user’s account. After having the access, attackers can do things like changing the password of that account or deleting any information, or deleting the account itself.

XSS

Cross-site scripting attack where JavaScript code is used by the attackers to access the user’s account. If CSRF is not possible due to SOP (same-origin policy) then attackers try to use this web security vulnerability. Attackers mostly try to create a post with JavaScript code and try to show this post on the user’s post page.

Clickjacking

In this attack, a button or link is hidden behind some fake button like download now or fake image in the spam email. On the click of it, this hidden button or link got triggered and perform malicious action on behalf of that user on the targeted site.

Authentication Vulnerabilities

Sometimes there are logical flaws in the API where APIs can be directly accessed without authentication. Such types of logical flaws become vulnerable to brute-force attacks where attacker attacks with a trial-and-error method.

Ways to prevent security attacks in Django

Django Admin

By default, the Django admin site’s URL is admin/. It should be changed to something else that only you know. It will prevent the Django login page to be accessed by others.

Django Security

Django Credentials

Keep all the Django credentials like SMTP details, authentication secret keys, database credentials in separate environment files. Do not add this environment file to the git repository. This will prevent database access from the person who has access to the code repo. Only server admin or site managers will have access. For example,

Django Version

Your application should be updated with the latest version of Python and Django. And even all the packages should be of stable version only. To check the stability of the packages used use https://pyup.io/safety/. Safety is used to check security vulnerabilities in the packages installed.

Django Deployment

Django provides a security checklist that we can check before deploying the application using the following command. the points of this checklist are discussed here https://docs.djangoproject.com/en/3.2/howto/deployment/checklist/. This command will cover all the points we discussed at the beginning of this doc.

Sometimes it is required to allow requests from other domains or IP addresses usually serving Angular/React JS applications. For this (https://pypi.org/project/django-cors-headers/) Django CORS headers can be used to allow specific domain which will prevent the CSRF attack by whitelisting trusted domains.

Use a valid SSL certificate and redirect all the requests from HTTP to HTTPS. This will prevent the middle attack.

To prevent the brute force attack

Django-axes (https://django-axes.readthedocs.io/en/latest/) Package can be installed. This will allow only a limited number of logins attempts by tracking suspicious login attempts for your Django application.

SQL injection

If you are using Django ORM for modifying or retrieving the data then SQL injection cannot work because Django ORM constructs and runs query after parameterizing input strings. But if you are using raw SQL then all the input strings should be in passed as params and placeholders should be left unquoted to prevent SQL injection.
>> params = {“name”:”John”, “email”: “john@gmail.com”}
>> Profile.objects.raw(“select * from some_table”, params )