Highest Voted 'django' Questions - IT Security Stack Exchange

83

votes

7 answers

Does a CSRF cookie need to be HttpOnly?

We were recently handed a security report containing the following: Cookie(s) without HttpOnly flag set vulnerability, which we apparently had in one of our internal applications. The applied fix was as simple as setting Django's…

asked Dec 15 '17 at 04:01

alecxe

1,515
5
19
34

53

votes

1 answer

Is Django's built-in security enough?

I have learned that Django provides built-in protection against the three main types of web app attacks (SQL injection, XSS and CSRF), which is really awesome. Yet I have spoken to a few Django developers and they have essentially told me not to…

xss csrf django

asked Jan 10 '13 at 03:46

pleasedesktop

633
1
6
6

30

votes

1 answer

Django SECRET_KEY security, how are methods more secure

I am nearing a point where I will deploy my Django application to the hostile environment otherwise known as "the internet" and I'm trying to better understand the ramifications of the Django SECRET_KEY. One of the standard procedures it seems is to…

python django

asked Jun 26 '14 at 06:42

James

545
2
5
8

19

votes

2 answers

Why is referer checking needed for Django to prevent CSRF

Today I learned that Django's CSRF protection uses refer(r)er header checking in addition to checking a hidden form field against a cookie. It seems to be important, judging from docs and issue below. It only checks this over HTTPS though. I've also…

tls man-in-the-middle csrf django

asked Aug 06 '15 at 19:53

Mark

333
2
8

12

votes

4 answers

What are the pros and cons of using sha256 to hash a password before passing it to bcrypt?

I recently became aware of the fact that bcrypt truncates passwords to 72 characters. Practically speaking my intuition is that this does not pose any major security problems. However, I understand that it does mean any software libraries that use…

passwords bcrypt python sha256 django

asked Jun 22 '15 at 14:48

Dan Tao

281
2
6

11

votes

3 answers

Concerning GET request in logs

I have a Django application running on a Digital Ocean Ubuntu server. I am using NGINX and Daphne to serve the application because I am using Django Channels. My websockets keep crashing, and I noticed in the logs when the crash occurs, this…

attacks ubuntu django

asked May 11 '21 at 18:18

MattG

213
2
5

8

votes

2 answers

Is Django vulnerable to shellshock?

Does the recent shellshock vulnerability in bash affect stock Django? Assume any of the production setups listed on the Django site are used (gunicorn, wsgi, nginx). If not, are there any commonly used Django extensions that could be vulnerable?…

shellshock django

asked Sep 25 '14 at 18:21

fredley

1,455
1
16
25

8

votes

3 answers

Proving the need to upgrade Django

The Story: In one of our projects, we are using Django web framework. But, we are currently stuck at 1.6.11 (mainly because in 1.7 Python 2.6 support was dropped - we are working on it, but it's going very slow) which is not maintained anymore. No…

python django

asked Dec 21 '16 at 19:35

alecxe

1,515
5
19
34

6

votes

2 answers

What should I use for authentication for my Django Rest API?

I just read this article about why JWT's suck. I'm now uncertain what I should use for authentication. For context: The API I wrote is mainly used by mobile Apps (iOS and Android). In the future it will also be accessed via a React Frontend. In the…

authentication api jwt django

asked Apr 29 '18 at 15:16

J. Hesters

163
1
5

5

votes

1 answer

How to to make a file private by securing the url that only authenticated users can see

I was wondering if there is a way to secure an image or a file to be hidden when it is not authenticated. Suppose there is an image in my website which can only be seen if that user is authenticated. But the thing is I can copy the url or open the…

authentication access-control python file-access django

asked Jan 18 '15 at 06:34

Robin

153
4

5

votes

4 answers

Best way to store/retrieve sensitive key files?

We have our web servers running in AWS EC2. We have about 30 API Keys/passwords/etc (sensitive data) which is set in the environment for our app to use. Whenever we deploy, we start a new server instance, pull down our repo and build our…

passwords python django

asked Oct 30 '14 at 17:48

trikosuave

51
1

4

votes

1 answer

Is it safe to create a session from an auth token?

My server is using Django Rest Framework. My mobile app logs in using token authentication. However, I also have a webview in the mobile app where I need to log in. I can't inject the auth token on every request in the webview, so I use the auth…

authentication csrf django

asked Mar 26 '20 at 04:14

personjerry

1,236
4
11
13

4

votes

2 answers

What are the implications of making Djangos SECRET_KEY public?

I know the SECRET_KEY for a website made in Django. The owner of the site has accidentally made the settings.py public. What are the implications of making SECRET_KEY public? How can someone use this to attack the system? From Django's official…

python django

asked Feb 07 '18 at 09:07

abybaddi009

141
4

4

votes

1 answer

BREACH attack vs filtered reflected user input

I am in charge of the applicative security of our application and would like to test our exposure to the BREACH attack. Our django-based web application reflects filtered user-input and serves a CSRF token. The way I understand it, BREACH exploits…

http django

asked Feb 12 '16 at 16:05

Maxime Leblanc

41
2

4

votes

1 answer

Sending a token with a request from one app to another

Say I have an application written in some language and framework (Python + flask, for instance), and have a great deal of the functionality requiring login, and authentication via JWT. Now I want to create a new module built as an app, possibly…

web-application password-management python token django

asked Jan 13 '16 at 18:20

bitterman

143
1
5

Questions tagged [django]