.. image:: https://jazzband.co/static/img/badge.svg :target: https://jazzband.co/ :alt: Jazzband
.. image:: https://img.shields.io/github/stars/jazzband/django-axes.svg?label=Stars&style=socialcA :target: https://github.com/jazzband/django-axes :alt: GitHub
.. image:: https://img.shields.io/pypi/v/django-axes.svg :target: https://pypi.org/project/django-axes/ :alt: PyPI release
.. image:: https://img.shields.io/pypi/pyversions/django-axes.svg :target: https://pypi.org/project/django-axes/ :alt: Supported Python versions
.. image:: https://img.shields.io/pypi/djversions/django-axes.svg :target: https://pypi.org/project/django-axes/ :alt: Supported Django versions
.. image:: https://img.shields.io/readthedocs/django-axes.svg :target: https://django-axes.readthedocs.io/ :alt: Documentation
.. image:: https://github.com/jazzband/django-axes/workflows/Test/badge.svg :target: https://github.com/jazzband/django-axes/actions :alt: GitHub Actions
.. image:: https://codecov.io/gh/jazzband/django-axes/branch/master/graph/badge.svg :target: https://codecov.io/gh/jazzband/django-axes :alt: Coverage
Axes is a Django plugin for keeping track of suspicious login attempts for your Django based website and implementing simple brute-force attack blocking.
The name is sort of a geeky pun, since it can be interpreted as:
access, as in monitoring access attempts, oraxes, as in tools you can use to hack (generally on wood).Axes records login attempts to your Django powered site and prevents attackers from attempting further logins to your site when they exceed the configured attempt limit.
Axes can track the attempts and persist them in the database indefinitely, or alternatively use a fast and DDoS resistant cache implementation.
Axes can be configured to monitor login attempts by IP address, username, user agent, or their combinations.
Axes supports cool off periods, IP address allow listing and block listing, user account allow listing, and other features for Django access management.
For more information on installation and configuration see the documentation at:
https://django-axes.readthedocs.io/
If you have questions or have trouble using the app please file a bug report at:
https://github.com/jazzband/django-axes/issues
See CONTRIBUTING <CONTRIBUTING.rst>__.
version 7 upgrade notes in the documentation <https://github.com/jazzband/django-axes/blob/4e89d72b92db044ff3f6b23ea2ab2e681211c98e/docs/2_installation.rst#version-7-breaking-changes-and-upgrading-from-django-axes-version-6>_.
[browniebroke]setuptools and pkg_resources dependencies.
[Viicos]axes_reset_ip_username.
[p-l-]TransactionManagementError when using the database handler
with a custom database with for AccessAttempt or AccessFailureLog.
[hirotasoshu]AXES_SENSITIVE_PARAMETERS default value to ["username", "ip_address"] in addition to the AXES_PASSWORD_FORM_FIELD configuration flag.
This masks the username and IP address fields by default in the logs when writing information about login attempts to the application logs.
Reverting to old configuration default of [] can be done by setting AXES_SENSITIVE_PARAMETERS = [] in the Django project settings file.
[GitRon]Version 6 is a breaking release. Please see the documentation for upgrade instructions.
is_admin_site API call with misleading naming.
[hirotasoshu]AXES_LOCKOUT_PARAMETERS configuration flag that will supersede AXES_ONLY_USER_FAILURES, AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP, AXES_LOCK_OUT_BY_USER_OR_IP, and AXES_USE_USER_AGENT configurations. Add deprecation warnings for old flags. See project documentation on RTD for update instructions.
[hirotasoshu]cache.incr API for atomic cached failure counting
[hirotasoshu, aleksihakli]django-ipware an optional dependency. Install it with e.g. pip install django-axes[ipware] package and extras specifier. [aleksihakli]6.1. [aleksihakli]
AXES_PROXY_ORDER is now AXES_IPWARE_PROXY_ORDER,AXES_PROXY_COUNT is now AXES_IPWARE_PROXY_COUNT,AXES_PROXY_TRUSTED_IPS is now AXES_IPWARE_PROXY_TRUSTED_IPS, andAXES_META_PRECEDENCE_ORDER is now AXES_IPWARE_META_PRECEDENCE_ORDER.AXES_CLIENT_CALLABLE setting. [hirotasoshu]AxesStandaloneBackend without ModelBackend dependencies.
[jcgiuffrida]AXES_COOLOFF_TIME.
[hramezani]django-ipware version requirements to allow newer versions.
[aleksihakli]pkg_resources missing for package version resolution on runtime
due to setuptools not being a runtime dependency.
[asherf]AXES_USERNAME_CALLABLE not receiving credentials attribute
in Axes middleware lockout response when user is locked out.
[rootart]unique_together constraints
and data and schema migration.
[PetrDlouhy]request as argument to AXES_CLIENT_STR_CALLABLE.
[sarahboyce]failures_since_start handling by moving the counter incrementation
from non-atomic Python code call to atomic database function.
[okapies]request.axes_failures_since_start attribute.
[okapies]AXES_HTTP_RESPONSE_CODE setting.
[phil-bell]get_or_create for access attempt fetching and updates.
[uli-klank]default_auto_field warning.
[zkanda]default_app_config deprecation.
Django 3.2 automatically detects AppConfig and therefore this setting is no longer required.
[nikolaik]AXES_CLIENT_STR_CALLABLE setting.
[smtydn]AXES_SENSITIVE_PARAMETERS setting.
[mcoconnor]AXES_VERBOSE to AXES_ENABLED configuration setting,
disabling verbose startup logging when Axes itself is disabled.
[christianbundy]AXES_ALLOWED_CORS_ORIGINS configuration flag.
[vladox]@wraps decorator to axes.decorators.axes_dispatch.
[aleksihakli]DEFAULT_AUTO_FIELD to test settings.
[hramezani]AXES_ENABLED is False.
[ashokdelphia]AccessAttempt creation with database handler when
username is not set and AXES_ONLY_USER_FAILURES setting is not set.
[hramezani]AXES_ENABLED flag so that
imports are always done the same way and initial log
is written regardless of the setting and it only affects
code that is decorated or wrapped with toggleable.
[alekshakli]AXES_LOGGER Axes setting and move to __name__
based logging and fully qualified Python module name log identifiers.
[aleksihakli]axes_reset_user management command.
[aleksihakli]subTest support via pytest-subtests package.
[smithdc1]django-appconf and use plain settings for Axes.
[aleksihakli]request.is_ajax method.
[smithdc1]LOCK_OUT_BY_USER_OR_IP flag.
[PetrDlouhy]providing_args for Django 3.1 support.
[coredumperror]AXES_ONLY_ADMIN_SITE functionality when
no default admin site is defined in the URL configuration.
[igor-shevchenko]axes.handlers.proxy.AxesProxyHandler.get_failures.
[aleksihakli]AXES_LOCKOUT_CALLABLE configuration flag.
[aleksihakli]AXES_WHITELIST_CALLABLE configuration flag.
[aleksihakli]cooloff_timedelta context variable to lockout responses.
[jstockwin]AXES_ENABLE_ADMIN flag.
[flannelhead]setuptools_scm and automatic versioning.
[aleksihakli]AXES_COOLOFF_TIME setting.
[DariaPlotnikova]axes.helpers.get_client_cache_key
for framework compatibility, fixes #471.
[aleksihakli]NotImplementedError by default.
[aleksihakli]AXES_ONLY_ADMIN_SITE flag for only running Axes on admin site.
[hramezani]axes_reset_logs command for removing old AccessLog records.
[tlebrize]AxesBackend subclasses to pass the axes.W003 system check.
[adamchainz]Fix lockout message showing when lockout is disabled
with the AXES_LOCK_OUT_AT_FAILURE setting.
[mogzol]
Add support for callable AXES_FAILURE_LIMIT setting.
[bbayles]
AXES_DISABLE_SUCCESS_ACCESS_LOG flag in favour of
AXES_DISABLE_ACCESS_LOG which has mostly the same functionality.
Update documentation to better reflect the behaviour of the flag.
[aleksihakli]Change the lockout response calculation to request flagging
instead of exception throwing in the signal handler and middleware.
Move request attribute calculation from middleware to handler layer.
Deprecate axes.request.AxesHttpRequest object type definition.
[aleksihakli]
Deprecate the old version 4.x axes.backends.AxesModelBackend class.
[aleksihakli]
Improve documentation on attempt tracking, resets, Axes customization, project and component compatibility and integrations, and other things. [aleksihakli]
Fix django.contrib.auth module login and logout functionality
so that they work with the handlers without the an AxesHttpRequest
to improve cross compatibility with other Django applications.
[aleksihakli]
Change IP address resolution to allow empty or missing addresses. [aleksihakli]
Add error logging for missing request attributes in the handler layer so that users get better indicators of misconfigured applications. [aleksihakli]
AXES_ENABLED setting for disabling Axes with e.g. tests
that use Django test client login, logout, and force_login
methods, which do not supply the request argument to views,
preventing Axes from functioning correctly in certain test setups.
[aleksihakli]Deprecate Python 2.7, 3.4 and 3.5 support. [aleksihakli]
Remove automatic decoration and monkey-patching of Django views and forms. Decorators are available for login function and method decoration as before. [aleksihakli]
Use backend, middleware, and signal handlers for tracking login attempts and implementing user lockouts. [aleksihakli, jorlugaqui, joshua-s]
Add AxesDatabaseHandler, AxesCacheHandler, and AxesDummyHandler
handler backends for processing user login and logout events and failures.
Handlers are configurable with the AXES_HANDLER setting.
[aleksihakli, jorlugaqui, joshua-s]
Improve management commands and separate commands for resetting
all access attempts, attempts by IP, and attempts by username.
New command names are axes_reset, axes_reset_ip and axes_reset_username.
[aleksihakli]
Add support for string import for AXES_USERNAME_CALLABLE
that supports dotted paths in addition to the old
callable type such as a function or a class method.
[aleksihakli]
Deprecate one argument call signature for AXES_USERNAME_CALLABLE.
From now on, the callable needs to accept two arguments,
the HttpRequest and credentials that are supplied to the
Django authenticate method in authentication backends.
[aleksihakli]
Move axes.attempts.is_already_locked function to axes.handlers.AxesProxyHandler.is_locked.
Various other previously undocumented methods have been deprecated and moved inside the project.
The new documented public APIs can be considered as stable and can be safely utilized by other projects.
[aleksihakli]
Improve documentation layouting and contents. Add public API reference section. [aleksihakli]
Remove the unused AccessAttempt.trusted flag from models
[aleksihakli]
Improve README and Travis CI setups [aleksihakli]
Removed duplicated check that was causing issues when using APIs. [camilonova]
Added Russian translations [lubicz-sielski]
Improve support for custom authentication credentials using the
AXES_USERNAME_FORM_FIELD and AXES_USERNAME_CALLABLE settings.
[mastacheata]
Updated behaviour for fetching username from request or credentials:
If no AXES_USERNAME_CALLABLE is configured, the optional
credentials that are supplied to the axes utility methods
are now the default source for client username and the HTTP
request POST is the fallback for fetching the user information.
AXES_USERNAME_CALLABLE implements an alternative signature with two
arguments request, credentials in addition to the old request
call argument signature in a backwards compatible fashion.
[aleksihakli]
Add official support for the Django 2.1 version and Python 3.7. [aleksihakli]
Improve the requirements, documentation, tests, and CI setup. [aleksihakli]
Fix MANIFEST.in missing German translations [aleksihakli]
Add AXES_RESET_ON_SUCCESS configuration flag
[arjenzijlstra]
Add a German translation [adonig]
Documentation wording changes [markddavidoff]
Use get_client_username in log_user_login_failed instead of credentials
[markddavidoff]
pin prospector to 0.12.11, and pin astroid to 1.6.5 [hsiaoyi0504]
Change custom authentication backend failures from error to warning log level [aleksihakli]
Set up strict code linting for CI pipeline that fails builds if linting does not pass [aleksihakli]
Clean up old code base and tests based on linter errors [aleksihakli]
Refactor and clean up code layout [aleksihakli]
Add prospector linting and code checks to toolchain [aleksihakli]
Clean up log message formatting and refactor type checks [EvaSDK]
Fix faulty user locking with user agent when AXES_ONLY_USER_FAILURES is set [EvaSDK]
Add configuration flags for client IP resolving [aleksihakli]
Add AxesModelBackend authentication backend [markdaviddoff]
Add AXES_CACHE setting for configuring axes specific caching.
[JWvDronkelaar]
Add checks and tests for faulty LocMemCache usage in application setup. [aleksihakli]
Improve Windows compatibility on Python < 3.4 by utilizing win_inet_pton [hsiaoyi0504]
Add documentation on django-allauth integration [grucha]
Add documentation on known AccessAttempt caching configuration problems
when using axes with the django.core.cache.backends.locmem.LocMemCache
[aleksihakli]
Refactor and improve existing AccessAttempt cache reset utility [aleksihakli]
AXES_USERNAME_FORM_FIELD
[camilonova]BREAKING CHANGES. AXES_BEHIND_REVERSE_PROXY AXES_REVERSE_PROXY_HEADER
AXES_NUM_PROXIES were removed in order to use django-ipware to get
the user ip address
[camilonova]
Added support for custom username field [kakulukia]
Customizing Axes doc updated [pckapps]
Remove filtering by username [camilonova]
Fixed logging failed attempts to authenticate using a custom authentication backend. [D3X]
Test against Python 2.7. [mbaechtold]
Test against Python 3.4. [pope1ni]
Fix DeprecationWarning for logger warning [richardowen]
Fixes global lockout possibility [joeribekker]
Changed the way output is handled in the management commands [ataylor32]
Many tweaks and handles successful AJAX logins. [Jack Sullivan]
Add tests for proxy number parametrization [aleksihakli]
Add AXES_NUM_PROXIES setting [aleksihakli]
Log failed access attempts regardless of settings [jimr]
Updated configuration docs to include AXES_IP_WHITELIST [Minkey27]
Add test for get_cache_key function [jorlugaqui]
Delete cache key in reset command line [jorlugaqui]
Add signals for setting/deleting cache keys [jorlugaqui]
Only look for lockable users on a POST [schinckel]
Fix and add tests for IPv4 and IPv6 parsing [aleksihakli]
Added settings for disabling success accesslogs [Minkey27]
Fixed illegal IP address string passed to inet_pton [samkuehn]
Fixed axes_reset management command to skip "ip" prefix to command
arguments.
[EvaMarques]
Added axes_reset_user management command to reset lockouts and failed
login records for given users.
[vladimirnani]
Fixed Travis-PyPI release configuration. [jezdez]
Make IP position argument optional. [aredalen]
Added possibility to disable access log [svenhertle]
Fix for IIS used as reverse proxy adding port number [Dmitri-Sintsov]
Made the signal race condition safe. [Minkey27]
Added AXES_ONLY_USER_FAILURES to support only looking at the user ID. [lip77us]
default_app_config so you can just use axes in INSTALLED_APPS
[vdboor]Removed middleware to use app_config [camilonova]
Lots of cleaning [camilonova]
Improved test suite and versions [camilonova]
Use render shortcut for rendering LOCKOUT_TEMPLATE [Radoslaw Luter]
Added app_label for RemovedInDjango19Warning [yograterol]
Add iso8601 translator. [mullakhmetov]
Edit json response. Context now contains ISO 8601 formatted cooloff time [mullakhmetov]
Add json response and iso8601 tests. [mullakhmetov]
Fixes issue 162: UnicodeDecodeError on pip install [joeribekker]
Added AXES_NEVER_LOCKOUT_WHITELIST option to prevent certain IPs from being locked out. [joeribekker]
Fixes whitelist check when BEHIND_REVERSE_PROXY [Patrick Hagemeister]
Made migrations py3 compatible [mvdwaeter]
Fixing #126, possibly breaking compatibility with Django<=1.7 [int-ua]
Add note for upgrading users about new migration files [kelseyq]
Fixes #148 [camilonova]
Decorate auth_views.login only once [teeberg]
Set IP public/private classifier to be compliant with RFC 1918. [SilasX]
Issue #155. Lockout response status code changed to 403. [Arthur Mullahmetov]
BUGFIX: Missing migration [smeinel]
Stopped using render_to_response so that other template engines work [tarkatronic]
Improved performance & DoS prevention on query2str [tarkatronic]
Immediately return from is_already_locked if the user is not lockable [jdunck]
Iterate over ip addresses only once [annp89]
added initial migration files to support django 1.7 &up. Upgrading users should run migrate --fake-initial after update [ibaguio]
Add db indexes to CommonAccess model [Schweigi]
Explain common issues where Axes fails silently [cericoda]
Allow for user-defined username field for lookup in POST data [SteveByerly]
Log out only if user was logged in [zoten]
Support for floats in cooloff time (i.e: 0.1 == 6 minutes) [marianov]
Limit amount of POST data logged (#73). Limiting the length of value is not enough, as there could be arbitrary number of them, or very long key names. [peterkuma]
Improve get_ip to try for real ip address [7wonders]
Change IPAddressField to GenericIPAddressField. When using a PostgreSQL database and the client does not pass an IP address you get an inet error. This is a known problem with PostgreSQL and the IPAddressField. https://code.djangoproject.com/ticket/5622. It can be fixed by using a GenericIPAddressField instead. [polvoblanco]
Get first X-Forwarded-For IP [tutumcloud]
White listing IP addresses behind reverse proxy. Allowing some IP addresses to have direct access to the app even if they are behind a reverse proxy. Those IP addresses must still be on a white list. [ericbulloch]
Reduce logging of reverse proxy IP lookup and use configured logger. Fixes #76. Instead of logging the notice that django.axes looks for a HTTP header set by a reverse proxy on each attempt, just log it one-time on first module import. Also use the configured logger (by default axes.watch_login) for the message to be more consistent in logging. [eht16]
Limit the length of the values logged into the database. Refs #73 [camilonova]
Refactored tests to be more stable and faster [camilonova]
Clean client references [camilonova]
Fixed admin login url [camilonova]
Added django 1.7 for testing [camilonova]
Travis file cleanup [camilonova]
Remove hardcoded url path [camilonova]
Fixing tests for django 1.7 [Andrew-Crosio]
Fix for django 1.7 exception not existing [Andrew-Crosio]
Removed python 2.6 from testing [camilonova]
Use django built-in six version [camilonova]
Added six as requirement [camilonova]
Added python 2.6 for travis testing [camilonova]
Replaced u string literal prefixes with six.u() calls [amrhassan]
Fixes object type issue, response is not an string [camilonova]
Python 3 compatibility fix for db_reset [nicois]
Added example project and helper scripts [barseghyanartur]
Admin command to list login attemps [marianov]
Replaced six imports with django.utils.six ones [amrhassan]
Replaced u string literal prefixes with six.u() calls to make it compatible with Python 3.2 [amrhassan]
Replaced assertIns and assertNotIns with assertContains and assertNotContains
[fcurella]
Added py3k to travis [fcurella]
Update test cases to be python3 compatible [nicois]
Python 3 compatibility fix for db_reset [nicois]
Removed trash from example urls [barseghyanartur]
Added django installer [barseghyanartur]
Added example project and helper scripts [barseghyanartur]
Added AttributeError in case get_profile doesn't exist [camilonova]
Improved axes_reset command [camilonova]
Update README.rst for PyPI [marty, camilonova, graingert]
Add cooloff period [visualspace]
Added 'username' field to the Admin table [bkvirendra]
Removed fallback logging creation since logging cames by default on django 1.4 or later, if you don't have it is because you explicitly wanted. Fixes #45 [camilonova]
Fix an issue when a user logout [camilonova]
Match pypi version [camilonova]
Better User model import method [camilonova]
Use only one place to get the version number [camilonova]
Fixed an issue when a user on django 1.4 logout [camilonova]
Handle exception if there is not user profile model set [camilonova]
Made some cleanup and remove a pokemon exception handling [camilonova]
Improved tests so it really looks for the rabbit in the hole [camilonova]
Match pypi version [camilonova]
Reverse proxy support [rmagee]
Clean up README [martey]
Fix setup.py [aclark4life]
Added ability to flag user accounts as unlockable. [kencochrane]
Added ipaddress as a param to the user_locked_out signal. [kencochrane]
Added a signal receiver for user_logged_out. [kencochrane]
Added a signal for when a user gets locked out. [kencochrane]
Added AccessLog model to log all access attempts. [kencochrane]
FAQs
Keep track of failed login attempts in Django-powered sites.
We found that django-axes demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.