• Mozilla’s Security Best Practices

    by  • 4 September 2012

    This list of resources is meant as a companion to the talk I gave at DjangoCon 2012, but it should stand on its own as a useful list for Django developers. Best Practices? What are “best practices,” anyway? The internet loves to debate these things. For us, think of it as the collective team...

    Read more →

    Mass Assignment – Security Part 10

    by  • 9 August 2012

    NB: This is the tenth post in a series of posts on web application security. “Mass assignment”? That’s a Rails thing! GitHub was the recent, high-profile target of an “attack”—it wasn’t so much a vicious attack as a “hey you guys, this is serious” attack, really gray-hat at its darkest—that made use of a...

    Read more →

    Intermission

    by  • 30 July 2012

    I sincerely hope to start the Advanced section of the security series tomorrow or Wednesday, but it’s been a full and hectic weekend and I didn’t have as much time to write as I’d hoped. I still need to finish the first couple of posts and get them queued up.

    Read more →

    Stay Up to Date – Basic Security Part 9

    by  • 27 July 2012

    NB: This is the ninth post in a series of posts on web application security. Rounding out this week is the last, but perhaps most important part of the basic security series: staying up to date. Keeping everything up-to-date is a pain. You have to follow the latest versions of everything you use. And...

    Read more →

    Click-Jacking and a little Phishing – Basic Security Part 8

    by  • 26 July 2012

    NB: This is the eighth post in a series of posts on web application security. Click-jacking is a process of “stealing” clicks on your site, redirecting them to other places, either by using an XSS vector to replace the targets of links (or whole sections of the page) or by putting your page in...

    Read more →

    Server Configuration – Basic Security Part 7

    by  • 25 July 2012

    NB: This is the seventh post in a series of posts on web application security. Configuring a server correctly is both 1) hard and 2) critical. You’ve probably spent a bunch of time configuring Apache or nginx, or whatever your server of choice is, for performance. But have you configured it for security? I...

    Read more →

    Session Fixation and Hijacking – Basic Security Part 6

    by  • 24 July 2012

    NB: This is the sixth post in a series of posts on web application security. Don’t put session IDs in the URL. Django explicitly does not support this because it’s just dangerous. Use SSL and secure cookies. Use HttpOnly cookies. Is it really that easy? Yes and no. But start there and you’ve already...

    Read more →

    Access Control – Basic Security Part 5

    by  • 23 July 2012

    NB: This is the fifth post in a series of posts on web application security. Proper access control is an absolutely key part of web app security and is easily overlooked—possibly because it’s so easy. In Django, to hide a link from someone, you just: {% if perms.myapp.mymodel %}     <a href="{% url...

    Read more →

    Injections, SQL and otherwise – Basic Security Part 4

    by  • 20 July 2012

    NB: This is the fourth post in a series of posts on web application security. SQL Injection SQL injection is a vector that lets a user insert their own SQL into a statement sent to your database server. The typical example is: "SELECT * FROM users WHERE username = ‘" + username + "’...

    Read more →

    CSRF: Cross-Site Request Forgeries – Basic Security Part 3

    by  • 19 July 2012

    NB: This is the third post in a series of posts on web application security. The quintessential example of a CSRF (sometimes pronounced “sea-surf”) is a bank that naively does transfers over a GET request without any other security: http://badbank.com/transfer?from=act1&to=act2&amt=100000.00 Ignoring how many other bad things are going on here, there’s no validation that...

    Read more →