You already know web security is important to keeping hackers and cyber-thieves from accessing sensitive information. So, in this post, we are going to check Django security vulnerabilities and how to fix them.
Full Post: [https://reversepython.net/lab/django-web-security-checklist-deployment/](https://reversepython.net/lab/django-web-security-checklist-deployment/)
4 thoughts on “Django web security checklist before deployment”
Great post thanks
CSP is great, but that csp section is painful. i see no reason to use a library to set the headers. middle ware is simple to write, and those tuples of string wrapped strings are an eye sore. more importantly, at the very least the script src should be restricted to the static url. it will prevent anyone from trying to sneakily upload js to the media url
edit: a more specific criticism of the csp package is that it’s almost a pure leaky abstraction. it requires the developer to know almost exactly how the CSP header is formed but with more overhead. the only arguable benefit is that it could be grouped with other header settings. the counter argument would be that middle ware is just as clean and conventional
If anyone wants to use HTTP2 server push in conjunction with django-csp and preload headers (which can be tricky to do by hand), check out this small middleware I created: https://github.com/pirate/django-http2-middleware