DEV Community

ashrafZolkopli
ashrafZolkopli

Posted on • Updated on

Django GitHub Template

Preface

When working with Django, we as the developer can rest assure that it is inherently secure. This can even be seen on the Django front page.

image

This means that for the usual OWAPS top 10 popular vulnerability had already taken care for us.

However, going forward there are things we can improve with Django to make it much more secure and robust to reduce the chances that our website can be compromise by malicious hacker.

This post series will look into how to make Django much much more secure while maintaining the balance between usability and securing the customer data.

Since this setup should be the preface of most Django setup, I want to create a GitHub template which I can later use for all my Django project creation.

Securing Django

The way I see it, there are 3 area we can improve the security of the Django application:

  1. Django Setting/Configuration

    1. Django environment variable - python-decouple
    2. Django Password Hash - Argon2
  2. Django User Authentication/Authorization

    1. Django Password Validation - django-password-validators
    2. Password Strength check - django-zxcvbn-password
  3. Django User Session

    1. Restrict Session - django-restricted-sessions
    2. Prevent Concurrent Login - django-preventconcurrentlogins
    3. User Control Django Session - django-user-session
    4. Ratelimit - django-ratelimit
    5. User Audit - django-useraudit

Slowly but surely, I will link the series into each of the library stated above. However if the series end up hanging, please text me or share the comment so that I am reminded.

Going forward we need to have a good base to start with, and for me... any project should start with a git repo. Remember a good mantra to live by is,

Commit Small Commit Fast

Github Git Repo

When starting a new project, I will use GitHub as my repo. I prefer it this way since it allow me with the flexibility of continuing my project from multiple device.

Below is my Git repo setup in GitHub.
image

GitHub logo ashrafZolkopli / Django_Template

A Django secure starter template

Setting up the Initial Django project

I won't be sharing a step by step method of starting a new Django Project. So I will skim through the process.

Now in my folder to create a file name Backend. This will allow me to have a common directory in every project proceeding this.

In this Backend folder I start with my Virtual Environment using the code

pipenv shell
Enter fullscreen mode Exit fullscreen mode

then install the Django package using the code

pipenv install django
Enter fullscreen mode Exit fullscreen mode

start a Django project with the command

django-admin startproject Backend .
Enter fullscreen mode Exit fullscreen mode

I would now add a User App with the command

python manage.py startapp User
Enter fullscreen mode Exit fullscreen mode

now in your User folder, open models.py and add the following command

from django.db import models
from django.contrib.auth.models import AbstractUser
from django.utils.translation import gettext_lazy as _

# Create your models here.


class User(AbstractUser):
    pass
Enter fullscreen mode Exit fullscreen mode

then open your admin.py and the following code

from django.contrib import admin
from django.contrib.auth.admin import UserAdmin
from django.contrib.auth import get_user_model
# Register your models here.

User = get_user_model()


@admin.register(User)
class CustomUserAdmin(UserAdmin):
    pass

Enter fullscreen mode Exit fullscreen mode

now add your User app in your INSTALLED_APP located in settings.py file

INSTALLED_APP = [
    "User",
# continue with all the default app.
]
Enter fullscreen mode Exit fullscreen mode

add the following somewhere in your settings.py

# Custom User Model
AUTH_USER_MODEL = 'User.User'
Enter fullscreen mode Exit fullscreen mode
# Static files (CSS, JavaScript, Images)
# https://docs.djangoproject.com/en/3.2/howto/static-files/

STATIC_ROOT = BASE_DIR.joinpath('static')
STATIC_URL = '/static/'
STATICFILES_DIRS = [
    BASE_DIR.joinpath("static_files"),
]
Enter fullscreen mode Exit fullscreen mode
# Public media files

MEDIA_ROOT = BASE_DIR.joinpath('media')
MEDIA_URL = '/media/'
Enter fullscreen mode Exit fullscreen mode

add also replace your TEMPLATES in your setting.py

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [
            BASE_DIR.joinpath('templates'),
        ],
        'APP_DIRS': True,
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                'django.contrib.messages.context_processors.messages',
            ],
        },
    },
]
Enter fullscreen mode Exit fullscreen mode

from here you could start commit to your git repo already.

End

Since we had commit the code into our repo, I would like to end this post here and stay tune for the next installment

Top comments (0)