django-nyc-security - Coffee on the Keyboard

django-nyc-security

A collection of 12 posts

Mass Assignment - Security Part 10

NB: This is the tenth post in a series [https://coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. > “Mass assignment”? That’s a Rails [http://rubyonrails.org/] thing! GitHub [https://github.com/] was the recent, high-profile target of an “attack”—it wasn’t so much a vicious attack as

django-nyc-security

Intermission

I sincerely hope to start the Advanced section of the security series [https://coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] tomorrow or Wednesday, but it’s been a full and hectic weekend and I didn’t have as much time to write as I’d hoped. I still need to finish the first couple

Stay Up to Date - Basic Security Part 9

NB: This is the ninth post in a series [https://coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Rounding out this week is the last, but perhaps most important part of the basic security series: staying up to date. Keeping everything up-to-date is a pain. You have to follow

Click-Jacking and a little Phishing - Basic Security Part 8

NB: This is the eighth post in a series [https://coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Click-jacking is a process of “stealing” clicks on your site, redirecting them to other places, either by using an XSS vector [https://coffeeonthekeyboard.com/xss-cross-site-scripting-basic-security-part-2-711/] to replace the targets of links

Server Configuration - Basic Security Part 7

NB: This is the seventh post in a series [https://coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Configuring a server correctly is both 1) hard and 2) critical. You’ve probably spent a bunch of time configuring Apache [http://httpd.apache.org/] or nginx [http://nginx.org/], or

Session Fixation and Hijacking - Basic Security Part 6

NB: This is the sixth post in a series [https://coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. 1. Don’t put session IDs in the URL. Django explicitly does not support [https://docs.djangoproject.com/en/dev/topics/http/sessions/#session-ids-in-urls] this because it’s just dangerous. 2.

Access Control - Basic Security Part 5

NB: This is the fifth post in a series [https://coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. Proper access control is an absolutely key part of web app security and is easily overlooked—possibly because it’s so easy. In Django, to hide a link from someone, you

Injections, SQL and otherwise - Basic Security Part 4

NB: This is the fourth post in a series [https://coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. SQL Injection SQL injection is a vector that lets a user insert their own SQL into a statement sent to your database server. The typical example is: 1. "SELECT * FROM users

CSRF: Cross-Site Request Forgeries - Basic Security Part 3

NB: This is the third post in a series [https://coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. The quintessential example of a CSRF (sometimes pronounced “sea-surf”) is a bank that naively does transfers over a GET request without any other security: http://badbank.com/transfer?from=act1&to=

XSS: Cross-Site Scripting - Basic Security Part 2

NB: This is the second post in a series [https://coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. XSS covers a number of various attacks, but the common thread is that someone gets to execute code in the context of your web page and domain. Doing that, they can

Password Storage - Basic Security Part 1

NB-1: This is the first post in a series [https://coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. NB-2: Fred [http://fredericiana.com/] wrote a great post on password storage [https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/]. You should read it. I’m assuming we’re talking

Best Basic Security Practices (Especially with Django)

Or: Locking Your Doors This goes along with a talk I gave at Django-NYC [http://www.djangonyc.org/events/70626822/] in July 2012, but is meant to stand on its own. It is the first in a series of posts, because I realized it was too big for one. Security