portal_review/notes.md
2020-02-11 09:46:15 +05:30

3.8 KiB

I divide the security points that I think are important into 3 classes: 1) Critical 2) Standard 3) Other based on their importance and django recommendations.

Critical points

  1. DB Password in codebase
  2. SECRET_KEY in codebase and same in development and production
  3. Object level access permission missing
  • I see the UserPermission class and I am assuming it is for managing object level permission but I am not sure how it is being used for object level permissions.
  1. Check session management carefully
  2. I am not sure what exact Django version the app is designed for. I am assuming some version of Django 2.x.x. based on my attempt to run the project. It would be nice to check all vulnerabilities for this specific version of Django.

Standard Django app deployment checks

  • Check issues in manage.py check --deploy
(venv) [pcoder@archlinux portal]$ ./manage.py check --deploy
System check identified some issues:

WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W006) Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pages will not be served with an 'x-content-type-options: nosniff' header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.
?: (security.W007) Your SECURE_BROWSER_XSS_FILTER setting is not set to True, so your pages will not be served with an 'x-xss-protection: 1; mode=block' header. You should consider enabling this header to activate the browser's XSS filtering and help prevent XSS attacks.
?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.

Other security configurations for Django

What are the various security parameters ? https://django-secure.readthedocs.io/en/latest/settings.html

  1. XSS
# For Xss filter See https://scotthelme.co.uk/x-xss-protection-1-mode-block-demo/
SECURE_BROWSER_XSS_FILTER = True
# See https://docs.djangoproject.com/en/dev/ref/middleware/#x-content-type-options-nosniff
SECURE_CONTENT_TYPE_NOSNIFF = True
  1. HSTS settings
# Make the production server to respond to https always or set the strict https settings iff for a single domain
SECURE_HSTS_INCLUDE_SUBDOMAINS=True
# 30 seconds or above based on whether increasing this value breaks something
SECURE_HSTS_SECONDS=30 seconds and above based on tests
SECURE_HSTS_PRELOAD = True
  1. Force/exempt ssl urls
# set to any regex of urls that need to be served over plain http
# https://django-secure.readthedocs.io/en/latest/settings.html#secure-ssl-redirect
SECURE_REDIRECT_EXEMPT = []
SECURE_SSL_HOST = None
SECURE_SSL_REDIRECT = False