Mozilla's Security Best Practices

This list of resources is meant as a companion to the talk I gave at DjangoCon 2012, but it should stand on its own as a useful list for Django developers.

Best Practices?

What are “best practices,” anyway? The internet loves to debate these things. For us, think of it as the collective team knowledge, condensed into things like docs; shared, reviewed libraries; application templates; code review standards; and user experience guidelines.

Docs

• WebDev Bootcamp
• Localization
• Playdoh Docs

Libraries

• Playdoh – Our application template.
• Funfactory – Core of our shared stuff, base settings.
• django-sha2 – HMAC+Bcrypt password storage.
• Bleach – HTML sanitizer and link-finder.
• django-session-csrf – Better CSRF for subdomains.
• django-ratelimit – Ratelimiting decorator.
• commonware – Some other useful middleware and monkeypatches.
• tower – Our wrapper around Babel.
• jingo – Our adapter to use Jinja2 templates, with some built-in filters.
• cef – Common Event Format logger for security events.
• django-csp – CSP header tool.

Django Features

• CSRF – Django’s CSRF protection.
• X-Frame-Options – X-Frame-Options tools.
• Secure Sessions – Set session cookies for HTTPS only.