Django-Security is currently the most advanced and mature security package for Django framework. It’s been usable for a while, but thanks to hard work of the SDelements team to which I have also contributed a bit I can now recommend it for production use. This package offers a number of models, views, middlewares and forms to facilitate security hardening of Django applications. Some features became obsolete with time, as mainstream Django has implemented them, but what I pride most is quite robust implementation of Content Security Policy that makes it much easier and manageable compared to manipulating raw HTTP header.
Full documentation
Automatically generated documentation of django-security
is available on Read The Docs:
Installation
Install from Python packages repository:
pip install django-security
If you prefer the latest development version, install from django-security:
git clone https://github.com/sdelements/django-security.git cd django-security sudo python setup.py install
Adding to Django application’s settings.py
file:
INSTALLED_APPS = (
...
'security',
...
)
Middleware modules can be added to MIDDLEWARE_CLASSES
list in settings file:
MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)
Unlike the modules listed above, some other modules require configuration settings, fully described in django-security documentation. Brief description is provided below.
Middleware
Provided middleware modules will modify web application’s output and input and in most cases requires no or minimum configuration.
Middleware | Description | Configuration </tr> |
---|---|---|
ContentNoSniff | Disable possibly insecure autodetection of MIME types in browsers. Recommended. | None. |
ContentSecurityPolicyMiddleware | Send Content Security Policy (CSP) header in HTTP response. Recommended, requires careful tuning. | Required. |
DoNotTrackMiddleware | Read user browser's DoNotTrack preference and pass it to application. Recommended, requires implementation in views and templates. | None. |
LoginRequiredMiddleware | Requires a user to be authenticated to view any page on the site that hasn’t been white listed. | Required. |
MandatoryPasswordChangeMiddleware | Redirects any request from an authenticated user to the password change form if that user’s password has expired. | Required. |
NoConfidentialCachingMiddleware | Adds No-Cache and No-Store headers to confidential pages. | Required. |
P3PPolicyMiddleware | Adds the HTTP header attribute specifying compact P3P policy. | Required. |
SessionExpiryPolicyMiddleware | Expire sessions on browser close, and on expiry times stored in the cookie itself. | Required. |
StrictTransportSecurityMiddleware | Enforce SSL/TLS connection and disable plaintext fall-back. Recommended for SSL/TLS sites. | Optional. |
XFrameOptionsMiddleware | Disable framing of the website, mitigating Clickjacking attacks. Recommended. | Optional. |
XssProtectMiddleware | Enforce browser's Cross Site Scripting protection. Recommended. | None.
</table>
Viewscsp_report View that allows reception of Content Security Policy violation reports sent by browsers in response to CSP header set by ``ContentSecurityPolicyMiddleware`. This should be used only if long term, continuous CSP report analysis is required. For one time CSP setup CspBuilder This view can be configured to either log received reports or store them in database. See documentation for details. require_ajax A view decorator which ensures that the request being proccessed by view is an AJAX request. Example usage:
@require_ajax
def myview(request):
...
ModelsCspReport Content Security Policy violation report object. Only makes sense if ContentSecurityPolicyMiddleware and csp_report view are used. With this model, the reports can be then analysed in Django admin site. PasswordExpiry Associate a password expiry date with a user.LoggingAll django-security modules send important log messages to `security` facility. The application should configure a handler to receive them:
LOGGING = {
...
'loggers': {
'security': {
'handlers': ['console',],
'level': 'INFO',
'propagate': False,
'formatter': 'verbose',
},
...
|