Ticket #16248: 16248-security.diff

File 16248-security.diff, 2.6 KB (added by buddelkiste@…, 13 years ago)

  • docs/topics/security.txt

     
    1313.. highlightlang:: html+django
    1414
    1515XSS attacks allow a user to inject client side scripts into the
    16 browsers of other users. This is usually acheived by storing the malicious
     16browsers of other users. This is usually achieved by storing the malicious
    1717scripts to the database where it will be retrieved and displayed to other users
    1818or to get users to click a link containing variables containing scripts that
    1919will be rendered by the user's browser. However, XSS attacks can originate
     
    2525
    2626Django templates :ref:`escape specific characters <automatic-html-escaping>`
    2727which are particularly dangerous to HTML. While this protects users from most
    28 malications input, it is not entirely foolproof. For example, it will not
     28malicious input, it is not entirely foolproof. For example, it will not
    2929protect the following:
    3030
    3131.. code-block:: html+django
     
    9797the form of the
    9898:mod:`X-Frame-Options middleware <django.middleware.clickjacking.XFrameOptionsMiddleware>`
    9999which in a supporting browser can prevent a site from being rendered inside
    100 of a frame. It is possible to disable the protection on a per view basis
     100a frame. It is possible to disable the protection on a per view basis
    101101or to configure the exact header value sent.
    102102
    103103The middleware is strongly recommended for any site that does not need to have
     
    139139  :setting:`CSRF_COOKIE_SECURE` settings to ``True``. This instructs the browser
    140140  to only send these cookies over HTTPS connections. Note that this will mean
    141141  that sessions will not work over HTTP, and the CSRF protection will prevent
    142   any data POST data being accepted over HTTP (which will be fine if you are
     142  any POST data being accepted over HTTP (which will be fine if you are
    143143  redirecting all HTTP traffic to HTTPS).
    144144
    145145.. _additional-security-topics:
     
    157157  brute-force attacks against the authentication system, you may consider
    158158  deploying a Django plugin or web server module to throttle these requests.
    159159* If your site accepts file uploads, it is strongly advised that you limit
    160   the these uploads in your web server configuration to a reasonable
     160  these uploads in your web server configuration to a reasonable
    161161  size in order to prevent denial of service (DOS) attacks. In Apache, this
    162162  can be easily set using the LimitRequestBody_ directive.
    163163* Keep your :setting:`SECRET_KEY` a secret.
Back to Top