2011-12-17 10:48:27 +08:00
|
|
|
==================
|
|
|
|
Security in Django
|
|
|
|
==================
|
2011-06-10 23:14:36 +08:00
|
|
|
|
2011-12-17 10:48:27 +08:00
|
|
|
This document is an overview of Django's security features. It includes advice
|
|
|
|
on securing a Django-powered site.
|
2011-06-10 23:14:36 +08:00
|
|
|
|
|
|
|
.. _cross-site-scripting:
|
|
|
|
|
|
|
|
Cross site scripting (XSS) protection
|
|
|
|
=====================================
|
|
|
|
|
2020-04-06 14:05:02 +08:00
|
|
|
.. highlight:: html+django
|
2011-06-10 23:14:36 +08:00
|
|
|
|
2011-07-17 22:17:26 +08:00
|
|
|
XSS attacks allow a user to inject client side scripts into the browsers of
|
|
|
|
other users. This is usually achieved by storing the malicious scripts in the
|
|
|
|
database where it will be retrieved and displayed to other users, or by getting
|
2011-12-17 10:48:27 +08:00
|
|
|
users to click a link which will cause the attacker's JavaScript to be executed
|
2011-07-17 22:17:26 +08:00
|
|
|
by the user's browser. However, XSS attacks can originate from any untrusted
|
2011-12-17 10:48:27 +08:00
|
|
|
source of data, such as cookies or Web services, whenever the data is not
|
2011-07-17 22:17:26 +08:00
|
|
|
sufficiently sanitized before including in a page.
|
2011-06-10 23:14:36 +08:00
|
|
|
|
|
|
|
Using Django templates protects you against the majority of XSS attacks.
|
|
|
|
However, it is important to understand what protections it provides
|
|
|
|
and its limitations.
|
|
|
|
|
|
|
|
Django templates :ref:`escape specific characters <automatic-html-escaping>`
|
|
|
|
which are particularly dangerous to HTML. While this protects users from most
|
2011-06-14 18:34:52 +08:00
|
|
|
malicious input, it is not entirely foolproof. For example, it will not
|
2011-06-10 23:14:36 +08:00
|
|
|
protect the following:
|
|
|
|
|
2016-01-26 00:57:14 +08:00
|
|
|
.. code-block:: text
|
2011-06-10 23:14:36 +08:00
|
|
|
|
2014-09-27 01:06:49 +08:00
|
|
|
<style class={{ var }}>...</style>
|
2011-06-10 23:14:36 +08:00
|
|
|
|
2016-02-11 20:58:15 +08:00
|
|
|
.. highlighting as html+django fails due to intentionally missing quotes.
|
|
|
|
|
2011-06-10 23:14:36 +08:00
|
|
|
If ``var`` is set to ``'class1 onmouseover=javascript:func()'``, this can result
|
2011-12-17 10:48:27 +08:00
|
|
|
in unauthorized JavaScript execution, depending on how the browser renders
|
2014-09-27 01:06:49 +08:00
|
|
|
imperfect HTML. (Quoting the attribute value would fix this case.)
|
2011-06-10 23:14:36 +08:00
|
|
|
|
|
|
|
It is also important to be particularly careful when using ``is_safe`` with
|
2012-12-25 22:56:22 +08:00
|
|
|
custom template tags, the :tfilter:`safe` template tag, :mod:`mark_safe
|
2011-06-10 23:14:36 +08:00
|
|
|
<django.utils.safestring>`, and when autoescape is turned off.
|
|
|
|
|
|
|
|
In addition, if you are using the template system to output something other
|
|
|
|
than HTML, there may be entirely separate characters and words which require
|
|
|
|
escaping.
|
|
|
|
|
2011-07-17 22:17:26 +08:00
|
|
|
You should also be very careful when storing HTML in the database, especially
|
|
|
|
when that HTML is retrieved and displayed.
|
2011-06-10 23:14:36 +08:00
|
|
|
|
2012-04-19 23:00:55 +08:00
|
|
|
|
2011-06-10 23:14:36 +08:00
|
|
|
Cross site request forgery (CSRF) protection
|
|
|
|
============================================
|
|
|
|
|
|
|
|
CSRF attacks allow a malicious user to execute actions using the credentials
|
|
|
|
of another user without that user's knowledge or consent.
|
|
|
|
|
|
|
|
Django has built-in protection against most types of CSRF attacks, providing you
|
|
|
|
have :ref:`enabled and used it <using-csrf>` where appropriate. However, as with
|
|
|
|
any mitigation technique, there are limitations. For example, it is possible to
|
|
|
|
disable the CSRF module globally or for particular views. You should only do
|
|
|
|
this if you know what you are doing. There are other :ref:`limitations
|
|
|
|
<csrf-limitations>` if your site has subdomains that are outside of your
|
|
|
|
control.
|
|
|
|
|
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
2015-11-08 00:35:45 +08:00
|
|
|
:ref:`CSRF protection works <how-csrf-works>` by checking for a secret in each
|
2019-06-17 22:54:55 +08:00
|
|
|
POST request. This ensures that a malicious user cannot "replay" a form POST to
|
|
|
|
your website and have another logged in user unwittingly submit that form. The
|
|
|
|
malicious user would have to know the secret, which is user specific (using a
|
|
|
|
cookie).
|
2011-06-10 23:14:36 +08:00
|
|
|
|
2012-12-25 22:56:22 +08:00
|
|
|
When deployed with :ref:`HTTPS <security-recommendation-ssl>`,
|
|
|
|
``CsrfViewMiddleware`` will check that the HTTP referer header is set to a
|
2012-09-07 04:08:14 +08:00
|
|
|
URL on the same origin (including subdomain and port). Because HTTPS
|
|
|
|
provides additional security, it is imperative to ensure connections use HTTPS
|
|
|
|
where it is available by forwarding insecure connection requests and using
|
|
|
|
HSTS for supported browsers.
|
|
|
|
|
2011-06-10 23:14:36 +08:00
|
|
|
Be very careful with marking views with the ``csrf_exempt`` decorator unless
|
|
|
|
it is absolutely necessary.
|
|
|
|
|
2014-04-25 02:10:03 +08:00
|
|
|
.. _sql-injection-protection:
|
2012-09-07 04:08:14 +08:00
|
|
|
|
2011-06-10 23:14:36 +08:00
|
|
|
SQL injection protection
|
|
|
|
========================
|
|
|
|
|
|
|
|
SQL injection is a type of attack where a malicious user is able to execute
|
|
|
|
arbitrary SQL code on a database. This can result in records
|
|
|
|
being deleted or data leakage.
|
|
|
|
|
2017-10-23 20:21:38 +08:00
|
|
|
Django's querysets are protected from SQL injection since their queries are
|
|
|
|
constructed using query parameterization. A query's SQL code is defined
|
|
|
|
separately from the query's parameters. Since parameters may be user-provided
|
|
|
|
and therefore unsafe, they are escaped by the underlying database driver.
|
|
|
|
|
|
|
|
Django also gives developers power to write :ref:`raw queries
|
|
|
|
<executing-raw-queries>` or execute :ref:`custom sql <executing-custom-sql>`.
|
|
|
|
These capabilities should be used sparingly and you should always be careful to
|
|
|
|
properly escape any parameters that the user can control. In addition, you
|
|
|
|
should exercise caution when using :meth:`~django.db.models.query.QuerySet.extra`
|
|
|
|
and :class:`~django.db.models.expressions.RawSQL`.
|
2011-06-10 23:14:36 +08:00
|
|
|
|
|
|
|
Clickjacking protection
|
|
|
|
=======================
|
|
|
|
|
|
|
|
Clickjacking is a type of attack where a malicious site wraps another site
|
|
|
|
in a frame. This attack can result in an unsuspecting user being tricked
|
|
|
|
into performing unintended actions on the target site.
|
|
|
|
|
|
|
|
Django contains :ref:`clickjacking protection <clickjacking-prevention>` in
|
|
|
|
the form of the
|
|
|
|
:mod:`X-Frame-Options middleware <django.middleware.clickjacking.XFrameOptionsMiddleware>`
|
|
|
|
which in a supporting browser can prevent a site from being rendered inside
|
2011-06-14 18:34:52 +08:00
|
|
|
a frame. It is possible to disable the protection on a per view basis
|
2011-06-10 23:14:36 +08:00
|
|
|
or to configure the exact header value sent.
|
|
|
|
|
|
|
|
The middleware is strongly recommended for any site that does not need to have
|
|
|
|
its pages wrapped in a frame by third party sites, or only needs to allow that
|
|
|
|
for a small section of the site.
|
|
|
|
|
2012-09-07 04:08:14 +08:00
|
|
|
.. _security-recommendation-ssl:
|
|
|
|
|
2011-06-10 23:14:36 +08:00
|
|
|
SSL/HTTPS
|
|
|
|
=========
|
|
|
|
|
2015-12-20 12:55:15 +08:00
|
|
|
It is always better for security to deploy your site behind HTTPS. Without
|
|
|
|
this, it is possible for malicious network users to sniff authentication
|
|
|
|
credentials or any other information transferred between client and server, and
|
|
|
|
in some cases -- **active** network attackers -- to alter data that is sent in
|
|
|
|
either direction.
|
2011-06-10 23:14:36 +08:00
|
|
|
|
|
|
|
If you want the protection that HTTPS provides, and have enabled it on your
|
2012-06-05 03:31:23 +08:00
|
|
|
server, there are some additional steps you may need:
|
|
|
|
|
|
|
|
* If necessary, set :setting:`SECURE_PROXY_SSL_HEADER`, ensuring that you have
|
|
|
|
understood the warnings there thoroughly. Failure to do this can result
|
|
|
|
in CSRF vulnerabilities, and failure to do it correctly can also be
|
|
|
|
dangerous!
|
2011-06-10 23:14:36 +08:00
|
|
|
|
2015-09-04 21:19:27 +08:00
|
|
|
* Set :setting:`SECURE_SSL_REDIRECT` to ``True``, so that requests over HTTP
|
|
|
|
are redirected to HTTPS.
|
2011-06-10 23:14:36 +08:00
|
|
|
|
2015-09-04 21:19:27 +08:00
|
|
|
Please note the caveats under :setting:`SECURE_PROXY_SSL_HEADER`. For the
|
|
|
|
case of a reverse proxy, it may be easier or more secure to configure the
|
|
|
|
main Web server to do the redirect to HTTPS.
|
2011-06-10 23:14:36 +08:00
|
|
|
|
|
|
|
* Use 'secure' cookies.
|
|
|
|
|
|
|
|
If a browser connects initially via HTTP, which is the default for most
|
|
|
|
browsers, it is possible for existing cookies to be leaked. For this reason,
|
|
|
|
you should set your :setting:`SESSION_COOKIE_SECURE` and
|
|
|
|
:setting:`CSRF_COOKIE_SECURE` settings to ``True``. This instructs the browser
|
|
|
|
to only send these cookies over HTTPS connections. Note that this will mean
|
|
|
|
that sessions will not work over HTTP, and the CSRF protection will prevent
|
2011-06-14 18:34:52 +08:00
|
|
|
any POST data being accepted over HTTP (which will be fine if you are
|
2011-06-10 23:14:36 +08:00
|
|
|
redirecting all HTTP traffic to HTTPS).
|
|
|
|
|
2015-09-04 21:19:27 +08:00
|
|
|
* Use :ref:`http-strict-transport-security` (HSTS)
|
2012-09-07 03:13:31 +08:00
|
|
|
|
|
|
|
HSTS is an HTTP header that informs a browser that all future connections
|
|
|
|
to a particular site should always use HTTPS. Combined with redirecting
|
|
|
|
requests over HTTP to HTTPS, this will ensure that connections always enjoy
|
|
|
|
the added security of SSL provided one successful connection has occurred.
|
2016-07-29 00:48:07 +08:00
|
|
|
HSTS may either be configured with :setting:`SECURE_HSTS_SECONDS`,
|
|
|
|
:setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS`, and :setting:`SECURE_HSTS_PRELOAD`,
|
|
|
|
or on the Web server.
|
2012-09-07 03:13:31 +08:00
|
|
|
|
2012-09-07 04:08:14 +08:00
|
|
|
.. _host-headers-virtual-hosting:
|
2011-06-10 23:14:36 +08:00
|
|
|
|
2013-02-10 01:17:01 +08:00
|
|
|
Host header validation
|
|
|
|
======================
|
2011-09-10 08:46:38 +08:00
|
|
|
|
2013-02-10 01:17:01 +08:00
|
|
|
Django uses the ``Host`` header provided by the client to construct URLs in
|
|
|
|
certain cases. While these values are sanitized to prevent Cross Site Scripting
|
|
|
|
attacks, a fake ``Host`` value can be used for Cross-Site Request Forgery,
|
|
|
|
cache poisoning attacks, and poisoning links in emails.
|
2011-12-17 10:48:27 +08:00
|
|
|
|
2013-04-30 01:40:03 +08:00
|
|
|
Because even seemingly-secure web server configurations are susceptible to fake
|
2013-02-10 01:17:01 +08:00
|
|
|
``Host`` headers, Django validates ``Host`` headers against the
|
|
|
|
:setting:`ALLOWED_HOSTS` setting in the
|
|
|
|
:meth:`django.http.HttpRequest.get_host()` method.
|
|
|
|
|
|
|
|
This validation only applies via :meth:`~django.http.HttpRequest.get_host()`;
|
|
|
|
if your code accesses the ``Host`` header directly from ``request.META`` you
|
|
|
|
are bypassing this security protection.
|
|
|
|
|
|
|
|
For more details see the full :setting:`ALLOWED_HOSTS` documentation.
|
|
|
|
|
|
|
|
.. warning::
|
|
|
|
|
2013-04-30 01:40:03 +08:00
|
|
|
Previous versions of this document recommended configuring your web server to
|
2013-02-10 01:17:01 +08:00
|
|
|
ensure it validates incoming HTTP ``Host`` headers. While this is still
|
2013-04-30 01:40:03 +08:00
|
|
|
recommended, in many common web servers a configuration that seems to
|
2013-02-10 01:17:01 +08:00
|
|
|
validate the ``Host`` header may not in fact do so. For instance, even if
|
|
|
|
Apache is configured such that your Django site is served from a non-default
|
|
|
|
virtual host with the ``ServerName`` set, it is still possible for an HTTP
|
|
|
|
request to match this virtual host and supply a fake ``Host`` header. Thus,
|
|
|
|
Django now requires that you set :setting:`ALLOWED_HOSTS` explicitly rather
|
2013-04-30 01:40:03 +08:00
|
|
|
than relying on web server configuration.
|
2011-09-10 08:46:38 +08:00
|
|
|
|
2016-04-04 23:55:34 +08:00
|
|
|
Additionally, Django requires you to explicitly enable support for the
|
|
|
|
``X-Forwarded-Host`` header (via the :setting:`USE_X_FORWARDED_HOST` setting)
|
|
|
|
if your configuration requires it.
|
2012-11-28 05:19:37 +08:00
|
|
|
|
2019-03-22 05:33:41 +08:00
|
|
|
Referrer policy
|
|
|
|
===============
|
|
|
|
|
|
|
|
Browsers use the ``Referer`` header as a way to send information to a site
|
|
|
|
about how users got there. By setting a *Referrer Policy* you can help to
|
|
|
|
protect the privacy of your users, restricting under which circumstances the
|
|
|
|
``Referer`` header is set. See :ref:`the referrer policy section of the
|
|
|
|
security middleware reference <referrer-policy>` for details.
|
|
|
|
|
2013-09-26 00:59:33 +08:00
|
|
|
Session security
|
|
|
|
================
|
|
|
|
|
|
|
|
Similar to the :ref:`CSRF limitations <csrf-limitations>` requiring a site to
|
|
|
|
be deployed such that untrusted users don't have access to any subdomains,
|
|
|
|
:mod:`django.contrib.sessions` also has limitations. See :ref:`the session
|
|
|
|
topic guide section on security <topics-session-security>` for details.
|
2012-11-28 05:19:37 +08:00
|
|
|
|
2013-11-13 20:38:03 +08:00
|
|
|
.. _user-uploaded-content-security:
|
|
|
|
|
|
|
|
User-uploaded content
|
|
|
|
=====================
|
|
|
|
|
|
|
|
.. note::
|
|
|
|
Consider :ref:`serving static files from a cloud service or CDN
|
|
|
|
<staticfiles-from-cdn>` to avoid some of these issues.
|
|
|
|
|
|
|
|
* If your site accepts file uploads, it is strongly advised that you limit
|
|
|
|
these uploads in your Web server configuration to a reasonable
|
|
|
|
size in order to prevent denial of service (DOS) attacks. In Apache, this
|
|
|
|
can be easily set using the LimitRequestBody_ directive.
|
|
|
|
|
|
|
|
* If you are serving your own static files, be sure that handlers like Apache's
|
|
|
|
``mod_php``, which would execute static files as code, are disabled. You don't
|
|
|
|
want users to be able to execute arbitrary code by uploading and requesting a
|
|
|
|
specially crafted file.
|
|
|
|
|
|
|
|
* Django's media upload handling poses some vulnerabilities when that media is
|
|
|
|
served in ways that do not follow security best practices. Specifically, an
|
|
|
|
HTML file can be uploaded as an image if that file contains a valid PNG
|
|
|
|
header followed by malicious HTML. This file will pass verification of the
|
2014-03-21 22:54:53 +08:00
|
|
|
library that Django uses for :class:`~django.db.models.ImageField` image
|
|
|
|
processing (Pillow). When this file is subsequently displayed to a
|
2013-11-13 20:38:03 +08:00
|
|
|
user, it may be displayed as HTML depending on the type and configuration of
|
|
|
|
your web server.
|
|
|
|
|
|
|
|
No bulletproof technical solution exists at the framework level to safely
|
|
|
|
validate all user uploaded file content, however, there are some other steps
|
|
|
|
you can take to mitigate these attacks:
|
|
|
|
|
2018-11-16 02:54:28 +08:00
|
|
|
#. One class of attacks can be prevented by always serving user uploaded
|
2014-04-25 22:27:13 +08:00
|
|
|
content from a distinct top-level or second-level domain. This prevents
|
|
|
|
any exploit blocked by `same-origin policy`_ protections such as cross
|
|
|
|
site scripting. For example, if your site runs on ``example.com``, you
|
|
|
|
would want to serve uploaded content (the :setting:`MEDIA_URL` setting)
|
|
|
|
from something like ``usercontent-example.com``. It's *not* sufficient to
|
2013-11-13 20:38:03 +08:00
|
|
|
serve content from a subdomain like ``usercontent.example.com``.
|
|
|
|
|
2020-06-17 19:15:56 +08:00
|
|
|
#. Beyond this, applications may choose to define a list of allowable
|
2013-11-13 20:38:03 +08:00
|
|
|
file extensions for user uploaded files and configure the web server
|
|
|
|
to only serve such files.
|
|
|
|
|
2015-08-08 18:02:32 +08:00
|
|
|
.. _same-origin policy: https://en.wikipedia.org/wiki/Same-origin_policy
|
2013-11-13 20:38:03 +08:00
|
|
|
|
2012-09-07 04:08:14 +08:00
|
|
|
.. _additional-security-topics:
|
|
|
|
|
2011-06-10 23:14:36 +08:00
|
|
|
Additional security topics
|
|
|
|
==========================
|
|
|
|
|
|
|
|
While Django provides good security protection out of the box, it is still
|
|
|
|
important to properly deploy your application and take advantage of the
|
2011-12-17 10:48:27 +08:00
|
|
|
security protection of the Web server, operating system and other components.
|
2011-06-10 23:14:36 +08:00
|
|
|
|
2011-12-17 10:48:27 +08:00
|
|
|
* Make sure that your Python code is outside of the Web server's root. This
|
2011-07-07 07:44:54 +08:00
|
|
|
will ensure that your Python code is not accidentally served as plain text
|
|
|
|
(or accidentally executed).
|
|
|
|
* Take care with any :ref:`user uploaded files <file-upload-security>`.
|
2011-06-10 23:14:36 +08:00
|
|
|
* Django does not throttle requests to authenticate users. To protect against
|
|
|
|
brute-force attacks against the authentication system, you may consider
|
2011-12-17 10:48:27 +08:00
|
|
|
deploying a Django plugin or Web server module to throttle these requests.
|
2011-06-10 23:14:36 +08:00
|
|
|
* Keep your :setting:`SECRET_KEY` a secret.
|
|
|
|
* It is a good idea to limit the accessibility of your caching system and
|
|
|
|
database using a firewall.
|
2016-04-07 01:00:38 +08:00
|
|
|
* Take a look at the Open Web Application Security Project (OWASP) `Top 10
|
|
|
|
list`_ which identifies some common vulnerabilities in web applications. While
|
|
|
|
Django has tools to address some of the issues, other issues must be
|
|
|
|
accounted for in the design of your project.
|
2020-04-22 22:26:15 +08:00
|
|
|
* Mozilla discusses various topics regarding `web security`_. Their
|
|
|
|
pages also include security principles that apply to any system.
|
2011-06-10 23:14:36 +08:00
|
|
|
|
2015-11-30 00:29:46 +08:00
|
|
|
.. _LimitRequestBody: https://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
|
2020-06-15 15:44:08 +08:00
|
|
|
.. _Top 10 list: https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/
|
2020-04-22 22:26:15 +08:00
|
|
|
.. _web security: https://infosec.mozilla.org/guidelines/web_security.html
|