| | 1 | ===================== |
| | 2 | Security in Django |
| | 3 | ===================== |
| | 4 | |
| | 5 | This document will show you the security features of Django as well |
| | 6 | as give some advice about securing a Django site. |
| | 7 | |
| | 8 | .. _cross-site-scripting: |
| | 9 | |
| | 10 | Cross site scripting (XSS) protection |
| | 11 | ===================================== |
| | 12 | |
| | 13 | .. highlightlang:: html+django |
| | 14 | |
| | 15 | XSS attacks allow a user to inject client side scripts into the |
| | 16 | browsers of other users. This is usually acheived by storing the malicious |
| | 17 | scripts to the database where it will be retrieved and displayed to other users |
| | 18 | or to get users to click a link containing variables containing scripts that |
| | 19 | will be rendered by the user's browser. However, XSS attacks can originate |
| | 20 | from any untrusted source of data such as cookies or web services. |
| | 21 | |
| | 22 | Using Django templates protects you against the majority of XSS attacks. |
| | 23 | However, it is important to understand what protections it provides |
| | 24 | and its limitations. |
| | 25 | |
| | 26 | Django templates :ref:`escape specific characters <automatic-html-escaping>` |
| | 27 | which are particularly dangerous to HTML. While this protects users from most |
| | 28 | malications input, it is not entirely foolproof. For example, it will not |
| | 29 | protect the following: |
| | 30 | |
| | 31 | .. code-block:: html+django |
| | 32 | |
| | 33 | <style class={{ var }}>...</style> |
| | 34 | |
| | 35 | If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can |
| | 36 | result in unauthorized javascript execution depending on how the browser |
| | 37 | renders imperfect HTML. |
| | 38 | |
| | 39 | It is also important to be particularly careful when using ``is_safe`` |
| | 40 | with custom template tags, the :ttag:`safe` template tag and with |
| | 41 | :mod:`mark_safe <django.utils.safestring>`. |
| | 42 | |
| | 43 | In addition, if you are using the template system to output something other |
| | 44 | than HTML, there may be entirely separate characters and words which require |
| | 45 | escaping. |
| | 46 | |
| | 47 | You should also be very careful when storing HTML to the database especially |
| | 48 | when that HTML will be retrieved and displayed. |
| | 49 | |
| | 50 | Cross site request forgery (CSRF) protection |
| | 51 | ============================================ |
| | 52 | |
| | 53 | CSRF attacks allow a malicious user to execute actions using the credentials |
| | 54 | of another user without that user's knowledge or consent. |
| | 55 | |
| | 56 | Django has built-in :ref:`protection <using-csrf>` |
| | 57 | against most types of CSRF attacks. However, as with any mitigation technique, |
| | 58 | there are limitations. For example, it is possible to disable the CSRF module |
| | 59 | globally or for particular views. You should only do this if you know what |
| | 60 | you are doing. There are other :ref:`limitations <csrf-limitations>` if your |
| | 61 | site has subdomains that are outside of your control. |
| | 62 | |
| | 63 | :ref:`CSRF protection works <how-csrf-works>` by inserting some random data |
| | 64 | - a cryptographic nonce - into each POST request. This ensures that a |
| | 65 | malicious user cannot simply "replay" a form POST to your website and have |
| | 66 | another logged in user unwittingly submit that form. The malicious user would |
| | 67 | have to know the nonce which is user specific and expires after a short time. |
| | 68 | |
| | 69 | Be very careful with marking views with the ``csrf_exempt`` decorator unless |
| | 70 | it is absolutely necessary. |
| | 71 | |
| | 72 | SQL injection protection |
| | 73 | ======================== |
| | 74 | |
| | 75 | SQL injection is a type of attack where a malicious user is able to execute |
| | 76 | arbitrary SQL code on a database. This can result in records |
| | 77 | being deleted or data leakage. |
| | 78 | |
| | 79 | By using Django's querysets, the resulting SQL will be properly escaped by |
| | 80 | the underlying database driver. However, Django also gives developers power to |
| | 81 | write :ref:`raw queries <executing-raw-queries>` or execute |
| | 82 | :ref:`custom sql <executing-custom-sql>`. These capabilities should be used |
| | 83 | sparingly and you should always be careful to properly escape any parameters |
| | 84 | that the user can control. In addition, you should exercise caution when using |
| | 85 | :meth:`extra() <django.db.models.query.QuerySet.extra>`. |
| | 86 | |
| | 87 | |
| | 88 | Clickjacking protection |
| | 89 | ======================= |
| | 90 | |
| | 91 | Clickjacking is a type of attack where a malicious site wraps another site |
| | 92 | in a frame. This attack can result in an unsuspecting user being tricked |
| | 93 | into performing unintended actions on the target site. |
| | 94 | |
| | 95 | Django contains :ref:`clickjacking protection <clickjacking-prevention>` in |
| | 96 | the form of the |
| | 97 | :mod:`X-Frame-Options middleware <django.middleware.clickjacking.XFrameOptionsMiddleware>` |
| | 98 | which in a supporting browser can prevent a site from being rendered inside |
| | 99 | of a frame. It is possible to disable the protection on a per view basis |
| | 100 | or to allow frames from the same origin. |
| | 101 | |
| | 102 | The middleware is strongly recommended for any site that does not use frames |
| | 103 | or uses frames for only a small section of the site. |
| | 104 | |
| | 105 | .. _additional-security-topics: |
| | 106 | |
| | 107 | Additional security topics |
| | 108 | ========================== |
| | 109 | |
| | 110 | While Django provides good security protection out of the box, it is still |
| | 111 | important to properly deploy your application and take advantage of the |
| | 112 | security protection of the web server, operating system and other components. |
| | 113 | |
| | 114 | * Make sure that your Python code is outside of the web server's root. This |
| | 115 | will ensure that your Python code is not accidentally served as plain text. |
| | 116 | * If security is particularly important, it is a good idea to deploy the |
| | 117 | :mod:`admin site <django.contrib.admin>` behind HTTPS. Without this, it is |
| | 118 | possible for malicious users to sniff authentication credentials if the |
| | 119 | admin site is accessed from an insecure network connection. You may also |
| | 120 | want to take a look at the :setting:`SESSION_COOKIE_SECURE` setting. |
| | 121 | * Django does not throttle requests to authenticate users. To protect against |
| | 122 | brute-force attacks against the authentication system, you may consider |
| | 123 | deploying a Django plugin or web server module to throttle these requests. |
| | 124 | * If your site accepts file uploads, it is strongly advised that you limit |
| | 125 | the these uploads in your web server configuration to a reasonable |
| | 126 | size in order to prevent denial of service (DOS) attacks. In Apache, this |
| | 127 | can be easily set using the LimitRequestBody_ directive. |
| | 128 | * Keep your :setting:`SECRET_KEY` a secret. |
| | 129 | * It is a good idea to limit the accessibility of your caching system and |
| | 130 | database using a firewall. |
| | 131 | |
| | 132 | .. _LimitRequestBody: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestbody |
| | 133 | |