Opened 19 years ago
Closed 17 years ago
#631 closed enhancement (invalid)
Document common security precautions
| Reported by: | GrumpySimon | Owned by: | Jacob |
|---|---|---|---|
| Component: | Documentation | Version: | |
| Severity: | minor | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Some discussion of the security precautions needed ( or not ) during application development is, I think, essential for a web application framework.
For example:
- what should people do to protect against SQL injection? Do we need to run an escaping on incoming data or is it sanitised elsewhere?
- What about Cross Site Scripting?
- Is there an equivalent of something like PHP's http://www.php.net/htmlspecialchars to sanitise potentially dodgy user inputted text?
- What type of queries should be avoided as hard on the database ( e.g. is foo.get_object( pk=1, select_related=True ) going to melt down your RDBMS ).
- How is the admin section secured?
- Has anyone completed a security audit of the backend code?
Note:
See TracTickets
for help on using tickets.
Covered in the relevant sections of the docs and in the Django Book [1].
[1] http://www.djangobook.com/en/beta/chapter20/