DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Cover image for Django web application security checklist
Arno Pretorius
Arno Pretorius

Posted on • Updated on

Django web application security checklist

Web application security

Web application security is the process of shielding websites and online services against security threats that leave an application exposed. Web application security is essential in protecting a user’s data from a malicious user who plans to cause harm to that data.

What is Django and how does it stand

Django is a python-based open-sourced web framework that follows an MVT (Model-View-Template) architectural pattern. It is a batteries-included framework that is inherently secure, but there are still a few things that need to be β€˜tweaked’ in order to fully utilize Django’s defense capabilities.


1) Debug = False

Please, please, please never deploy your application with DEBUG = TRUE on. Ensure that DEBUG is set to False. If you don’t do this then Django will expose all your settings and environment variables when an exception occurs.

# settings.py 

DEBUG = FALSE
Enter fullscreen mode Exit fullscreen mode

2) Deployment checklist

The next important step is to run the below command in your terminal. You will then see information pertaining to your Django web application. This is very useful in giving you a quick breakdown of the major issues that require your attention before you go through with deployment. For those of you that like to get ahead early in the game, give those security messages a quick google.

python manage.py check β€” deploy
Enter fullscreen mode Exit fullscreen mode

3) Cross-site Scripting (XSS)

Cross-site scripting attacks involve an attacker injecting a malicious script into your application. If an XSS attack is carried out, attackers may be able to steal your user’s sensitive information. Luckily for you, you can minimize the damage of XSS attacks by adding the following lines:

# settings.py 

SECURE_BROWSER_XSS_FILTER = True 
SECURE_CONTENT_TYPE_NOSNIFF = True
Enter fullscreen mode Exit fullscreen mode

4) SSL redirect

The below line will ensure that your application redirects all non-HTTPS requests to HTTP.

# settings.py 

SECURE_SSL_REDIRECT = True
Enter fullscreen mode Exit fullscreen mode

5) Change the default Django admin URL

Someone who is familiar with Django can easily access your admin page, by simply typing in β€œwww.yourwebsite.com/admin" in their browser. Therefore, it is essential that you change your β€˜admin/’ URL to something unique and memorable.

Check the before and after code snippets to understand how to change your admin URL.

Before:

# urls.py 

from django.contrib import admin 
from django.urls import path

urlpatterns = [ 
    path(β€˜admin/’, admin.site.urls) # Default admin URL 
]
Enter fullscreen mode Exit fullscreen mode

After:

# urls.py 

from django.contrib import admin 
from django.urls import path

urlpatterns = [ 
     path(β€˜secret-admin/’, admin.site.urls) # Updated 
]
Enter fullscreen mode Exit fullscreen mode

6) HTTP Strict Transport Security (HSTS)

The below lines will protect your web application from man-in-the-middle attacks and will force a connection over HTTPS.

# settings.py 

SECURE_HSTS_SECONDS = 86400 
SECURE_HSTS_PRELOAD = True 
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
Enter fullscreen mode Exit fullscreen mode

7) Cross-site request forgery (CSRF) protection

CSRF protection prevents you from accidentally sending your session and your CSRF cookie over HTTP by accident.

Be sure that HTTPS is set up, then add the following lines:

# settings.py 

SESSION_COOKIE_SECURE = True 
CSRF_COOKIE_SECURE = True
Enter fullscreen mode Exit fullscreen mode

8) Use python-decouple

Your settings.py file will be full of sensitive information. Be sure to use python-decouple to keep everything separate and safe.

Step 1:

To install python-decouple in your application, open up your terminal and type in the following command:

pip install python-decouple
Enter fullscreen mode Exit fullscreen mode

Step 2:

Create a .env file in your repository’s root directory.

Step 3:

As a test, we will store some important data, such as debug and our secret key. So, simply copy + paste your debug and secret key from settings.py as-is into your .env file.

DEBUG=False 
SECRET_KEY=’my_secret_key’
Enter fullscreen mode Exit fullscreen mode

Step 4:

If you happen to be using Git be sure to .gitignore your .env file for security purposes.

Step 5:

Next, you need to import the decouple library:

# settings.py 

from decouple import config
Enter fullscreen mode Exit fullscreen mode

Step 6:

Now we want to get our parameters.

Decouple will always return our data as a string. To solve this problem, we need to cast it to a bool if we are expecting a Boolean or to an int if we are expecting an integer. Go back to your settings.py and modify your existing debug and secret key values with the following:

# settings.py 

DEBUG = config(β€˜DEBUG’, cast=bool) 
SECRET_KEY = config(β€˜SECRET_KEY’)
Enter fullscreen mode Exit fullscreen mode

9) Content Security Policy (CSP)

A content security policy (CSP) is useful if your web application contains a lot of styles and inline scripts. It can be useful for preventing clickjacking, cross-site scripting, and other types of code injection attacks. Be sure to read online about CSP.


10) Mozilla Observatory

Once you have deployed your application, be sure to check out the Mozilla observatory. It will scan your website for potential security flaws. Once the scan is complete you will get a breakdown of what is good and what needs to be improved, as well as a cool overall score, just like when you received that β€˜amazing’ math test back in high school.

Mozilla Observatory
The Mozilla Observatory is a project designed to help developers, system administrators, and security professionals…

Mozilla Observatory


11) Research, research, and research

No matter how much effort you put in to protect your website, it will never be 100% secure, but that doesn’t mean you can’t do some research of your own and try to make it as secure as possible.

And that’s that! Your Django web application has the basic components that are required for it to be secure. Of course, there are more ways to improve the security of your web application, but you have now implemented the bare minimum that you require.



A final note…

For those that are interested in learning Django from scratch, feel free to check out my latest course:

Python Django: Ultimate Beginners Course β€” 2022

Top comments (0)

🌚 Friends don't let friends browse without dark mode.

Sorry, it's true.