May 14, 2021 Django
1. Cross-site scripting (XSS) protection
2. Request forgery (CSRF) protection across sites
XSS attacks enable users to inject client scripts into other users' browsers. T ypically, this is done by storing malicious scripts in a database for retrieval and displaying them to other users, or by using a user to click a link that causes an attacker's JavaScript to be executed by the user's browser. However, XSS attacks can originate from any untrusted data source, such as cookies or Web services, as long as the data is not cleaned up enough before it is included in the page.
Use the Django template to protect you from most XSS attacks. However, it is important to understand the protection it provides and its limitations.
Django templates escape specific characters, which is especially dangerous for HTML. A lthough this protects users from most malicious input, it is not absolutely secure. For example, it will not protect the following:
<style class={{ var }}>...</style>
If the var is set, it may result in unauthorized JavaScript execution, depending on how the browser renders imperfect HTML. ( Reference property values will resolve this situation.) )'class1 onmouseover=javascript:func()'
is_safe be especially careful when working with custom template labels, safe mark_safe labels, and turning off auto-escape.
In addition, if you use a template system to output content other than HTML, there may be completely separate characters and words that need to be escaped.
Special care should also be taken when storing HTML in a database, especially when retrieving and displaying HTML.
A CSRF attack allows a malicious user to perform an action using another user's credentials without the user's knowledge or consent.
Django has built-in protection against most CSRF attacks, as long as you enable and use it wherever you want. H owever, as with any mitigation technique, there are limitations. F or example, you can disable CSRF modules globally or for specific views. Y ou should only do this if you know what you're doing. If your site has sub-domains that you cannot control, there are additional restrictions.
CSRF protection works by checking the secrets in each POST request. T his ensures that a malicious user cannot "replay" a form POST to your site and that another logged-in user inadvertently submits the form. A malicious user must know a user-specific secret (using cookies).
When deployed with HTTPS, CsrfViewMiddleware checks whether the HTTP reference header is set to a URL on the same source, including sub-domains and ports. Because HTTPS provides additional security, you must ensure that connections are available using HTTPS by forwarding unsecured connection requests and using HTML for supported browsers.
csrf_exempt unless absolutely necessary, carefully mark the view with an decorator.
SQL injection is an attack in which a malicious user can execute arbitrary SQL code on a database. This can result in record deletion or data leakage.
Because Django's query set is constructed using query parameterization, SQL injection can be prevented. T he SQL code for a query is defined separately from the parameters of the query. Because parameters can be provided by the user and therefore unsafe, the underlying database driver escapes them.
Django also enables developers to write original queries or perform custom sqls. T hese features should be used with caution, and you should always be careful to escape any parameters that the user can control. In addition, use extra() and when using RawSQL with extreme caution.
Clickjacking is an attack in which a malicious site wraps another site in a framework. Such an attack can result in unsuspecting users being tricked into performing unexpected actions on the target site.
Django includes clickjacking protection in the form of a supported browser that prevents websites from rendering within the framework. T he exact header value sent can be disabled for protection or configuration based on each view. X-Frame-Options middleware
It is highly recommended that middleware be used for any site that does not require a third-party site to wrap its pages in a framework, or that only a small part of the site be allowed to use the middleware.
Deploying a site after HTTPS is always a better option for security. Otherwise, a malicious network user may sniff authentication credentials or any other information transmitted between the client and the server, and in some cases (active network attackers) may change the data sent in either direction.
If you want the protection provided by HTTPS and you have it enabled on the server, you may need to perform some additional steps:
Host In some cases, Django uses a header provided by the client to construct a URL. Although these values are cleared to prevent cross-site scripting attacks, forged Host values can be used for cross-site request forgery, caching poisoning attacks, and poisoning links in e-mail messages.
Because even seemingly secure Web server configurations are susceptible to fake Host headers, Django verifies headers django.http.HttpRequest.get_host) based on the ALLOWED_HOSTS settings in the method Host.
This verification only get_host ();
For more details, see the full ALLOWED_HOSTS documentation.
Warning: Previous versions of this document recommended configuring a Web server to ensure that it validates the incoming HTTP Host header. A lthough this is still recommended, in many common Web servers, it seems possible to verify that the configuration of the Host header may not actually do so. F or example, even if Apache is configured to serve the Django site from a non-default virtual host with the ServerName setting, it is still possible for HTTP requests to match the virtual host and provide a fake Host header. Therefore, Django now requires you to ALLOWED_HOSTS settings, rather than relying on the Web server configuration.
In addition, if your configuration requires Django, Django requires you to explicitly enable support for the X-Forwarded-Host header (USE_X_FORWARDED_HOST settings).
The browser uses the Referer header as a way to send the user information about where the user arrived. B y setting a referral source URL policy, you can help protect users' privacy and limit the circumstances under which the Referer header is set. For more information, see the Referral Source URL Policy section of the Security Middleware Reference.
Similar to the CSRF restriction, which requires the deployment of a Web site so that untrusted users cannot access any sub-domains, this django.contrib.sessions also has restrictions. For more information, see the session topic guide section on security.
Note: Consider providing static files from a cloud service or CDN to avoid some of these issues.
Although Django provides good out-of-the-box security, it is important to deploy applications correctly and take advantage of the security of Web servers, operating systems, and other components.
For more information: https://docs.djangoproject.com/en/3.0/