Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Models, views, middlewares and forms to facilitate security hardening of Django applications.
This package offers a number of models, views, middlewares and forms to facilitate security hardening of Django applications.
Automatically generated documentation of django-security
is available on Read The Docs:
Install from Python packages repository:
pip install django-security
If you prefer the latest development version, install from django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
poetry install
Adding to Django application's settings.py
file:
INSTALLED_APPS = (
...
'security',
...
)
Middleware modules can be added to MIDDLEWARE
list in settings file:
MIDDLEWARE = (
...
'security.middleware.LoginRequiredMiddleware',
...
)
Unlike the modules listed above, some other modules require configuration settings, fully described in django-security documentation. Brief description is provided below.
Provided middleware modules will modify web application's output and input and in most cases requires no or minimum configuration.
Middleware | Description | Configuration |
---|---|---|
ClearSiteDataMiddleware | Send Clear-Site-Data header in HTTP response for any page that has been whitelisted. Recommended. | Required. |
ContentSecurityPolicyMiddleware | Send Content Security Policy (CSP) header in HTTP response. Recommended, requires careful tuning. | Required. |
LoginRequiredMiddleware | Requires a user to be authenticated to view any page on the site that hasn't been white listed. | Required. |
MandatoryPasswordChangeMiddleware | Redirects any request from an authenticated user to the password change form if that user's password has expired. | Required. |
NoConfidentialCachingMiddleware | Adds No-Cache and No-Store headers to confidential pages. | Required. |
ReferrerPolicyMiddleware | Specify when the browser will set a `Referer` header. | Optional. |
SessionExpiryPolicyMiddleware | Expire sessions on browser close, and on expiry times stored in the cookie itself. | Required. |
ProfilingMiddleware | A simple middleware to capture useful profiling information in Django. | Optional. |
csp_report
View that allows reception of Content Security Policy violation reports sent by browsers in response to CSP header set by ``ContentSecurityPolicyMiddleware`. This should be used only if long term, continuous CSP report analysis is required. For one time CSP setup CspBuilder is much simpler.
This view can be configured to either log received reports or store them in database. See documentation for details.
require_ajax
A view decorator which ensures that the request being processed by view is an AJAX request. Example usage:
@require_ajax
def myview(request):
...
CspReport
Content Security Policy violation report object. Only makes sense if ContentSecurityPolicyMiddleware
and csp_report
view are used.
With this model, the reports can be then analysed in Django admin site.
PasswordExpiry
Associate a password expiry date with a user.
All django-security
modules send important log messages to security
facility. The application should configure a handler to receive them:
LOGGING = {
...
'loggers': {
'security': {
'handlers': ['console',],
'level': 'INFO',
'propagate': False,
'formatter': 'verbose',
},
},
...
}
FAQs
Models, views, middlewares and forms to facilitate security hardening of Django applications.
We found that django-security demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.