Best Basic Security Practices (Especially with Django)
Or: Locking Your Doors
This goes along with a talk I gave at Django-NYC in July 2012, but is meant to stand on its own. It is the first in a series of posts, because I realized it was too big for one.
Security is proportional. Most apps don’t need two-factor auth—some certainly do—but there is a set of common attacks, easily mitigated, that basically any transactional web application is vulnerable to.
Covering these basics is like locking your car doors. For most cars, a thief is just going to try the handle and then move on. If you’re driving a Ferrari or have a bag of cash sitting in the back seat—if you’re a bank or a high-profile target—you’re going to need to be more proactive.
At Mozilla, we’ve rolled a lot of this into Playdoh, our Django application template, and funfactory, a Django app that actually holds a lot of the code.
These best-practices are locking your doors. If your site is a high-profile target or handles financial data, you’ll need to go beyond this.
Before I go on, a fantastic resource for web app developers is OWASP. The group maintains a ton of great info about common and emerging attacks against web apps, how to mitigate attack vectors, and more. They’re worth bookmarking, following, even joining.
This is the first post in a series. The series will cover what I covered in the talk, but it’s too big for a single blog post, so I’m breaking it up into a series of posts that will go up this week and next. The basic structure is:
- Basics: locking your car doors. - Password Storage
- XSS: Cross-Site Scripting
- CSRF: Cross-Site Request Forgeries
- Injections, SQL and Otherwise
- Access Control
- Session Fixation and Hijacking
- Server Configuration
- Click-jacking and a little Phishing
- Stay Up to Date
- Advanced: Some gotchas from my experience and some things you may well see. - Mass Assignment
- Cache Poisoning
- Bots: Spam, Brute-force, and User Experience
- CEF Logging
- What browsers are doing to help. - Content Security Policy
- Do Not Track
Over the next week or so, I’ll fill in that outline with links to the individual posts, so if you want to bookmark this one, it’s not a bad place to start. Or look at the security tag on this blog.