25/09/2016

A handy security checklist


Security is not an afterthought but is instead integral to the way you write applications. However, being human, it is handy to have a checklist to remind you of the common omissions.

The following points are a bare minimum of security checks that you should perform before making your Django application public.




Don’t trust data from a browser, API, or any outside sources: This is a fundamental rule. Make sure you validate and sanitize any outside data.

Don’t keep SECRET_KEY in version control: As a best practice, pick

SECRET_KEY from the environment. Check out the Django-environ package.

Don’t store passwords in plain text: Store your application password hashes instead. Add a random salt as well.

Don’t log any sensitive data: Filter out the confidential data such as credit card details or API keys from your log files.

Any secure transaction or login should use SSL: Be aware that eavesdroppers in the same network as you are could listen to your web traffic if is not in HTTPS. Ideally, you ought to use HTTPS for the entire site.

Avoid using redirects to user-supplied URLs: If you have redirects such as http://example.com/r?url=http://evil.com, then always check against whitelisted domains.

Check authorization even for authenticated users: Before performing any change with side effects, check whether the logged-in user is allowed to perform it.

Use the strictest possible regular expressions: Be it your URLconf or form validators, you must avoid lazy and generic regular expressions.

Don’t keep your Python code in web root: This can lead to an accidental leak of source code if it gets served as plain text.

Use Django templates instead of building strings by hand: Templates have protection against XSS attacks.

Use Django ORM rather than SQL commands: The ORM offers protection against SQL injection.

Use Django forms with POST input for any action with side effects: It might seem like overkill to use forms for a simple vote button. Do it.

CSRF should be enabled and used: Be very careful if you are exempting certain views using the @csrf_exempt decorator.

Ensure that Django and all packages are the latest versions: Plan for updates. They might need some changes to be made to your source code. However, they bring shiny new features and security fixes too.

Limit the size and type of user-uploaded files: Allowing large file uploads can cause denial-of-service attacks. Deny uploading of executables or scripts.

Have a backup and recovery plan: Thanks to Murphy, you can plan for an inevitable attack, catastrophe, or any other kind of downtime. Make sure you take frequent backups to minimize data loss.

Some of these can be checked automatically using Erik’s Pony Checkup at http://ponycheckup.com/. However, I would recommend that you print or copy this checklist and stick it on your desk.

Không có nhận xét nào:

Đăng nhận xét