There are a large number of security considerations for your projects. This article covers a large number of them, but it may not be sufficient, depending on your requirements/use-case. I would also recommend not implementing these settings directly on a production server, as it can be quite easy to make things inaccessible – proceed with caution & with the knowledge that things can go wrong.
Once you’re finished, you can run python manage.py checksecure for a quick check of your SSL settings. I also find that using Mozilla Observatory is very beneficial for assessing web-app security.
First off – make sure Debug is set to False in settings.py. This is a must-do for production systems, as sometimes the error messages can contain sensitive information that you would rather end-users could not see.
Additionally, change your secret key from the default django-insecure key to a long, randomised list of characters.
Always use HTTPS!
First of all, of course, we should use HTTPS for all communications, so you will need to install an SSL certificate on your server and redirect any HTTP requests to use HTTPS. Additionally, we should update the settings.py file to force SSL redirect (by setting SECURE_SSL_REDIRECT to True) and set SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to be True – so that cookies are also only sent over HTTPS.
Also, we can set CSRF_COOKIE_HTTPONLY to True, which will mean that client-side JavaScript will not be able to access CSRF cookies – it must be via HTTP(s).
HSTS!
Next, we want to implement HSTS. This stands for HTTP Strict Transport Security. This is designed to stop man in the middle attacks via the use of SSL stripping. According to Acunetix: “SSL stripping is a technique where an attacker forces the browser to connect to a site using HTTP so that they can sniff packets and intercept or modify sensitive information. HSTS is also a good method to protect yourself from cookie hijacking”.
So, HSTS forces the browser to make all requests via HTTPS for a given period of time (usually a year). If the browser receives any HTTP requests, it should retry via HTTPS. If the request fails, it should terminate the connection. Similarly, if there is an invalid SSL certificate, the connection should be terminated.
Cross-Site-Scripting (XSS)
Make sure you set the SECURE_BROWSER_XSS_FILTER setting to be true to enable the browsers XSS protection. Additionally, the SECURE_FRAME_DENY setting should be True in order to prevent clickjacking on your pages.
Non-Django security
- Use SSH keys, not passwords for access
- Disable password authentication in your SSH config
- Creater a new SUDO user and disable root login in your SSH config
- Make sure you have a local firewall (UFW) configured on your server
- Enable a cloud firewall to add further security – limit ports & IP ranges that can access servers where necessary.
- Use Cloudflare so that you can take advantage of their build-in security features.
The external factors to your application are depicted below. These are just some of the security considerations that you can use to protect your app!
As I mentioned above, these settings may or may not be sufficient for your use-case – this is a good starting point, at the very least.
