#
May 13, 2016, 7:14 p.m.

Securing Django

We Dont

Don't Be This Guy

The thing that I admire most about the Django Web Application Framework is that in fact in many ways it is "Secure by Default" like the OpenBSD Operating System. Back in the late 90s and early 2000s I used postnuke, and then jumped into deploying Drupal sites here and there. But all php web frameworks and frameworks that are/were somewhat powerful are riddled with a history of security issues. I guess there is a myriad of reasons for what causes this and I am really not willing to or going entertain that in this here post. If you want to read a well written article covering this issue then check Django or Drupal? a guide for decision makers

For the most part I believe it would be very safe to say that Django Web Application Framework was designed from the ground up with security in mind, specifically the OWASP top ten.

But enough background and history. If you are getting ready to work with Django and then deploy it. Let's cover the two most fundamentally important security best practices that you must take care of prior to deployment in production.

So in your settings.py what we need to do is change DEBUG=True and remove the SECRET_KEY value from the settings.py file itself. I won't cover how to do this in detail here, this I will cover in the next post.

Mr. Levi Gross has put together the perfect Django Security Resource which basically reads like the perfect questions that a hiring manager should ask a potential Django developer before hiring him or her. Then Mr. Kevin London turns around and answers the questions himself on his blog.

But not all of the questions and answers are some esoteric and arcane data, all of this comes directly from Django's web site and is straight forward.

It's not just important to rapidly deploy a well designed, and good looking UI web app that meets uses requirements. It's just as important to design, develop and write secure for any Web Application that you build, and don't make security an after thought. But again before you even start to think about any other potential security issues make sure that you clean up settings.py by turning off DEBUG and removing the SECRET which I will talk about in the next post on Django.

I would like to personally thank Mr.Gross and Mr. London for these invaluable resources for Django security. A million bows to you gentlemen.


blog comments powered by Disqus