Security tips that we must follow in django

Django is a popular web framework used by many developers to build secure and scalable web applications. While Django provides many security features out of the box, it's essential to follow some best practices to ensure the security of your web application.

In this article, we will discuss some essential security tips that every Django developer should follow to protect their web application from common security threats. By following these tips, you can ensure that your Django web application remains secure and protected from potential security vulnerabilities.

What is Django?

Django is a high-level web framework for building web applications in Python. It follows the Model-View-Controller (MVC) architectural pattern and is designed to make the development process faster and easier by providing a robust set of tools and libraries. Django is known for its "batteries included" philosophy, which means it comes with a variety of built-in features such as an Object-Relational Mapping (ORM) system, URL routing, authentication, and more, which can help developers quickly build complex web applications.

Can you fully secure your Django website with the following tips?

We can never provide 100% security of a website because hackers always find a way to break in. With the techniques and tips below, we can establish this security to a great extent and prevent vandalism and intrusion into our site through the usual and basic methods.

What security tips should we follow?

There are many security issues in Django that need to be followed. Here we mention the most important of them:

1- Turn off debug mode in the production environment

Debug mode in Django is a helpful tool for identifying errors during development. However, leaving it on in a production environment poses a significant security risk. Debug mode displays sensitive information in error messages, making it easier for attackers to gain access to your web application and data. Therefore, it's essential to turn off debug mode when deploying to production and follow best practices to protect your web application's security.

To disable this mode in Django, you must go to the settings.py file in the main application of your Django project and change this variable with the boolean value you give it.

#True -> for turn on / False -> for turn off
DEBUG = True

2- Use SSL in your project

HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) are two protocols used for communication between web browsers and web servers.

the main difference between HTTP and HTTPS is that HTTPS encrypts data sent between the browser and server, while HTTP does not. HTTPS is more secure than HTTP and is essential for websites that handle sensitive information, such as online banking, e-commerce, and social media sites

If the requests coming to your website are not HTTPS, you need to enable SSL on your site to redirect HTTP requests to HTTPS.

To do this, just add this variable in the settings.py file:

SECURE_SSL_REDIRECT = True

3- Increase the security of the Django admin panel

In Django, by default, an admin panel is designed to manage your website, and by creating a super user, you can have full access to this panel. The access of different and dangerous people to this admin panel can cause serious damage to your site and the confidential information of users and other information in your database may be leaked.

You can follow the steps below to increase the security of your Django website admin panel:

1- Change the admin panel route

In Django, the default path for accessing the admin panel is "yoursite.domain/admin." However, this default setting poses a security risk as anyone with a general understanding of Django can easily access the login page and attempt to break into your website. To mitigate this risk, it's important to change the admin path to a custom path that is difficult for others to find, and known only to authorized personnel. By changing the admin path, you can significantly increase the security of your Django application and protect it from potential attacks.

For this, just go to the urls.py file in the main app of your project and change this section from admin to your desired name:

urlpatterns = [
    path('admin/', admin.site.urls) # change admin something different
    ...
]

2- Use django-admin-honeypot package

django-admin-honeypot is a valuable third-party package for Django that boosts the security of your application's admin panel by creating a honeypot trap. With this package, a dummy admin login page is generated with a custom URL that differs from the standard /admin URL.

Moreover, the package offers additional features such as email notifications and access attempt logging. This functionality enables you to track and monitor any suspicious activity targeting the honeypot.

When an attacker attempts to access the fake login page, they will either be logged out or redirected to a custom error page. This blocks them from accessing the actual admin panel.

By incorporating django-admin-honeypot, you can add an extra layer of protection to your Django admin panel, detecting and thwarting any potential threats before they have a chance to compromise your application.

For more information about this package, you can refer to its documentation

4- Prevent brute force attacks using Django_axes

A brute force attack is a cyber-attack where the attacker uses automated software to guess a username and password combination. They try every possible password combination until the correct one is found. This attack can be successful if the system has weak passwords or lacks security measures. The attacker can gain unauthorized access, steal sensitive information, manipulate or delete data, and take control of the system. To prevent brute force attacks, it is important to use strong passwords, limit login attempts, and implement security measures like two-factor authentication, rate limiting, and CAPTCHA verification

Django Axes is a package for Django that limits web requests and prevents brute-force attacks. It tracks failed logins and blocks IPs that exceed a certain number of login attempts. It also includes features such as logging and email notifications and provides options to customize rate-limiting settings. Django Axes enhances security, blocks brute-force attacks, and provides insights into potential security threats.

For more information about Django Axes, you can refer to its documentation

5- Prevent XSS attacks

XSS (Cross-Site Scripting) is a type of cyber attack where an attacker injects malicious code into a web application, which is then executed by unsuspecting users who visit the infected site. This can be used to steal sensitive user data, such as login credentials and personal information, or to perform actions on behalf of the user, such as making unauthorized purchases or spreading malware.

X-XSS-Protection: 1; mode = block enables XSS filtering. If an attack is detected, the browser will prevent the page from rendering instead of protecting the page.

To enable it in Django, make sure django.middleware.security.SecurityMiddleware is present in the middleware list in settings.py file Then add the following lines in this file:

SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True

6- Prevent CSRF

In a web application, it basically takes input from the user and sends them to the server parts to process them. Server-side components generally use the following methods to accept data over HTTP:

  • POST

  • PUT

  • DELETE

Django has built-in security against most forms of CSRF threats. As mentioned in the Django documentation, be very careful when marking with the csrf_exempt decorator, unless absolutely necessary. If someone has access to your csrftoken cookie, then this is a vulnerability. CSRF protection cannot protect against human attacks, so use HTTPS with strict transport security.

After setting up HTTPS, add these few lines to your settings.py file:

#to avoid transmitting the CSRF cookie over HTTP accidentally.
CSRF_COOKIE_SECURE = True 

#to avoid transmitting the session cookie over HTTP accidentally.
SESSION_COOKIE_SECURE = True

7- HTTP Strict Transport Security

If your website's HTTPS resources aren't being utilized properly or if your SSL/TLS certificate has expired, modern web browsers may reject connection attempts to your site for a specific duration.

Add the following lines to settings.py file:

SECURE_HSTS_SECONDS = 86400  # 1 day
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True

8- Check deployment checklist

Check your security vulnerabilities by following the instructions below:

py manage.py --deploy

After using this command, you can see the information that it provides about the vulnerabilities of your Django web application and start fixing the things that are mentioned in it.

Conclusion

Django is a powerful tool for web application development, but security must be a top priority. Following the tips outlined in this article, such as Preventing brute force attacks, Turning off debug mode in production, using HTTPS, and keeping dependencies updated, can greatly reduce the risk of cyberattacks. Remember, security is an ongoing process, and staying proactive is crucial in keeping your Django application secure.

what is your opinion? If you know security issues for Django that are not mentioned in this article, be sure to mention them in the comments✌️🧡💣

12
Subscribe to my newsletter

Read articles from Shahriar Ghasempour directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Shahriar Ghasempour
Shahriar Ghasempour