id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35900	staticfiles: Make staticfiles.json location unguessable for security (by obscurity!).	Sebastian Pipping		"Hi!

An attacker searching for a way to attack a specific Django setup can check URL `/static/staticfiles.json` and use its content to first derive used dependencies (potentially down to a specific version) to then derive attack vectors based on that information.

A fix would be to not use guessable name `staticfiles.json` by default but to include some entropy in that filename a la `staticfiles_USD7M7XPCLK3CJAEXNMGXN2WLYSHLNE2.json` e.g. based on `settings.SECRET_KEY` so that `ManifestFilesMixin.manifest_name` content remains stable across all Python processes.  The ""by default"" is key here, because most users of Django do not seem to consider the security implications of serving file `staticfiles.json` to attackers, I keep finding these files in the wild. Yes, security by obscurity is never enough in isolation, but it does make attacking harder in practice.

Pull request 18778 (https://github.com/django/django/pull/18778) demos one way how the situation could be improved in a backwards-compatible way by default and for everyone.
"	Uncategorized	new	contrib.staticfiles	dev	Normal		staticfiles security hardening	Sebastian Pipping	Unreviewed	1	0	0	0	0	0