Remove session management (no session play going on)

This commit is contained in:
PCoder 2020-02-29 15:48:43 +05:30
parent 65de40f985
commit c516086d12

View file

@ -1,9 +1,11 @@
I divide the security points that I think are important into 3 classes: 1) Critical 2) Standard 3) Other based on their importance and django recommendations. I divide the security points that I think are important into 3 classes: 1) Critical and 2) Other based on their importance and django recommendations.
## Critical points ## Critical points
1. DB Password in codebase 1. DB Password in codebase
2. SECRET_KEY in codebase and same in development and production 2. SECRET_KEY in codebase and same in development and production
3. Object level access control permission missing 3. Object level access control permission missing
- I see the UserPermission class and I am assuming it is for managing object level permission but I am not sure how it is being used for object level permissions. By object permissions, I mean granting add/delete/change/view permissions on an object to a particular user or a group. - I see the UserPermission class and I am assuming it is for managing object level permission but I am not sure how it is being used for object level permissions. By object permissions, I mean granting add/delete/change/view permissions on an object to a particular user or a group.
- In Django we generally use the django-guardian module to accomplish this. - In Django we generally use the django-guardian module to accomplish this.
@ -52,8 +54,7 @@ def attachment_delete(request, pk):
Anyone who can login to the system, could potentially delete an attachment belonging to some other user, which may be disastrous. We could easily overcome this like the example from django-guardian above. Anyone who can login to the system, could potentially delete an attachment belonging to some other user, which may be disastrous. We could easily overcome this like the example from django-guardian above.
4. Check session management carefully 4. I am not sure what exact Django version the app is designed for. I am assuming some version of Django 2.x.x. based on my attempt to run the project. It would be nice to check all vulnerabilities for this specific version of Django.
5. I am not sure what exact Django version the app is designed for. I am assuming some version of Django 2.x.x. based on my attempt to run the project. It would be nice to check all vulnerabilities for this specific version of Django.
## Standard Django app deployment checks ## Standard Django app deployment checks
@ -75,12 +76,11 @@ WARNINGS:
``` ```
## Other security configurations for Django ## Other security configurations for Django
What are the various security parameters ? https://django-secure.readthedocs.io/en/latest/settings.html What are the various security parameters ? https://django-secure.readthedocs.io/en/latest/settings.html
1. XSS 1. Django's way to protect the project against XSS is to enable the following values
``` ```
# For Xss filter See https://scotthelme.co.uk/x-xss-protection-1-mode-block-demo/ # For Xss filter See https://scotthelme.co.uk/x-xss-protection-1-mode-block-demo/
@ -92,7 +92,19 @@ SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_CONTENT_TYPE_NOSNIFF = True
``` ```
2. HSTS settings
2. SSL and HSTS
Force/exempt ssl urls
```
# set to any regex of urls that need to be served over plain http
# https://django-secure.readthedocs.io/en/latest/settings.html#secure-ssl-redirect
SECURE_REDIRECT_EXEMPT = []
SECURE_SSL_HOST = None
SECURE_SSL_REDIRECT = False
```
Enable HSTS
``` ```
# Make the production server to respond to https always or set the strict https settings iff for a single domain # Make the production server to respond to https always or set the strict https settings iff for a single domain
@ -101,11 +113,3 @@ SECURE_HSTS_INCLUDE_SUBDOMAINS=True
SECURE_HSTS_SECONDS=30 seconds and above based on tests SECURE_HSTS_SECONDS=30 seconds and above based on tests
SECURE_HSTS_PRELOAD = True SECURE_HSTS_PRELOAD = True
``` ```
3. Force/exempt ssl urls
```
# set to any regex of urls that need to be served over plain http
# https://django-secure.readthedocs.io/en/latest/settings.html#secure-ssl-redirect
SECURE_REDIRECT_EXEMPT = []
SECURE_SSL_HOST = None
SECURE_SSL_REDIRECT = False
```