Preface
When working with Django, we as the developer can rest assure that it is inherently secure. This can even be seen on the Django front page.
This means that for the usual OWAPS top 10 popular vulnerability had already taken care for us.
However, going forward there are things we can improve with Django to make it much more secure and robust to reduce the chances that our website can be compromise by malicious hacker.
This post series will look into how to make Django much much more secure while maintaining the balance between usability and securing the customer data.
Since this setup should be the preface of most Django setup, I want to create a GitHub template which I can later use for all my Django project creation.
Securing Django
The way I see it, there are 3 area we can improve the security of the Django application:
Django Setting/Configuration
- Django environment variable - python-decouple
- Django Password Hash - Argon2
Django User Authentication/Authorization
- Django Password Validation - django-password-validators
- Password Strength check - django-zxcvbn-password
Django User Session
- Restrict Session - django-restricted-sessions
- Prevent Concurrent Login - django-preventconcurrentlogins
- User Control Django Session - django-user-session
- Ratelimit - django-ratelimit
- User Audit - django-useraudit
User Control Django Session
ashrafZolkopli ・ Jun 13 ・ 3 min read
Slowly but surely, I will link the series into each of the library stated above. However if the series end up hanging, please text me or share the comment so that I am reminded.
Going forward we need to have a good base to start with, and for me... any project should start with a git repo. Remember a good mantra to live by is,
Commit Small Commit Fast
Github Git Repo
When starting a new project, I will use GitHub as my repo. I prefer it this way since it allow me with the flexibility of continuing my project from multiple device.
Below is my Git repo setup in GitHub.
ashrafZolkopli
/
Django_Template
A Django secure starter template
Setting up the Initial Django project
I won't be sharing a step by step method of starting a new Django Project. So I will skim through the process.
Now in my folder to create a file name Backend. This will allow me to have a common directory in every project proceeding this.
In this Backend folder I start with my Virtual Environment using the code
pipenv shell
then install the Django package using the code
pipenv install django
start a Django project with the command
django-admin startproject Backend .
I would now add a User App with the command
python manage.py startapp User
now in your User folder, open models.py and add the following command
from django.db import models
from django.contrib.auth.models import AbstractUser
from django.utils.translation import gettext_lazy as _
# Create your models here.
class User(AbstractUser):
pass
then open your admin.py and the following code
from django.contrib import admin
from django.contrib.auth.admin import UserAdmin
from django.contrib.auth import get_user_model
# Register your models here.
User = get_user_model()
@admin.register(User)
class CustomUserAdmin(UserAdmin):
pass
now add your User app in your INSTALLED_APP located in settings.py file
INSTALLED_APP = [
"User",
# continue with all the default app.
]
add the following somewhere in your settings.py
# Custom User Model
AUTH_USER_MODEL = 'User.User'
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/3.2/howto/static-files/
STATIC_ROOT = BASE_DIR.joinpath('static')
STATIC_URL = '/static/'
STATICFILES_DIRS = [
BASE_DIR.joinpath("static_files"),
]
# Public media files
MEDIA_ROOT = BASE_DIR.joinpath('media')
MEDIA_URL = '/media/'
add also replace your TEMPLATES in your setting.py
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [
BASE_DIR.joinpath('templates'),
],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
],
},
},
]
from here you could start commit to your git repo already.
End
Since we had commit the code into our repo, I would like to end this post here and stay tune for the next installment
Top comments (0)