From c516086d124cb009a7a5585e835997a23ac6b879 Mon Sep 17 00:00:00 2001 From: PCoder Date: Sat, 29 Feb 2020 15:48:43 +0530 Subject: [PATCH] Remove session management (no session play going on) --- notes.md | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/notes.md b/notes.md index 0700812..9974f53 100644 --- a/notes.md +++ b/notes.md @@ -1,9 +1,11 @@ -I divide the security points that I think are important into 3 classes: 1) Critical 2) Standard 3) Other based on their importance and django recommendations. +I divide the security points that I think are important into 3 classes: 1) Critical and 2) Other based on their importance and django recommendations. ## Critical points 1. DB Password in codebase + 2. SECRET_KEY in codebase and same in development and production + 3. Object level access control permission missing - I see the UserPermission class and I am assuming it is for managing object level permission but I am not sure how it is being used for object level permissions. By object permissions, I mean granting add/delete/change/view permissions on an object to a particular user or a group. - In Django we generally use the django-guardian module to accomplish this. @@ -52,8 +54,7 @@ def attachment_delete(request, pk): Anyone who can login to the system, could potentially delete an attachment belonging to some other user, which may be disastrous. We could easily overcome this like the example from django-guardian above. -4. Check session management carefully -5. I am not sure what exact Django version the app is designed for. I am assuming some version of Django 2.x.x. based on my attempt to run the project. It would be nice to check all vulnerabilities for this specific version of Django. +4. I am not sure what exact Django version the app is designed for. I am assuming some version of Django 2.x.x. based on my attempt to run the project. It would be nice to check all vulnerabilities for this specific version of Django. ## Standard Django app deployment checks @@ -75,12 +76,11 @@ WARNINGS: ``` - ## Other security configurations for Django What are the various security parameters ? https://django-secure.readthedocs.io/en/latest/settings.html -1. XSS +1. Django's way to protect the project against XSS is to enable the following values ``` # For Xss filter See https://scotthelme.co.uk/x-xss-protection-1-mode-block-demo/ @@ -92,7 +92,19 @@ SECURE_BROWSER_XSS_FILTER = True SECURE_CONTENT_TYPE_NOSNIFF = True ``` -2. HSTS settings + +2. SSL and HSTS + +Force/exempt ssl urls +``` +# set to any regex of urls that need to be served over plain http +# https://django-secure.readthedocs.io/en/latest/settings.html#secure-ssl-redirect +SECURE_REDIRECT_EXEMPT = [] +SECURE_SSL_HOST = None +SECURE_SSL_REDIRECT = False +``` + +Enable HSTS ``` # Make the production server to respond to https always or set the strict https settings iff for a single domain @@ -101,11 +113,3 @@ SECURE_HSTS_INCLUDE_SUBDOMAINS=True SECURE_HSTS_SECONDS=30 seconds and above based on tests SECURE_HSTS_PRELOAD = True ``` -3. Force/exempt ssl urls -``` -# set to any regex of urls that need to be served over plain http -# https://django-secure.readthedocs.io/en/latest/settings.html#secure-ssl-redirect -SECURE_REDIRECT_EXEMPT = [] -SECURE_SSL_HOST = None -SECURE_SSL_REDIRECT = False -```