Django-Security
This package offers a number of models, views, middlewares and forms to facilitate security hardening of Django applications.
Full documentation
Automatically generated documentation of django-security
is available on Read The Docs:
Requirements
- Python >= 3.6
- Django >= 1.11
For Django < 1.8 use django-security==0.9.4. For Django < 1.11 use django-security==0.11.3.
Note: For versions prior to 0.10.0, datetime
objects were being added to the session and required Django's PickleSerializer for (de)serializing. This has now been changed so that the strings of these datetime
s are being stored instead. If you are still using PickleSerializer for this reason, we suggest switching to Django's default JSONSerializer (default since Django 1.6) for better security.
Installation
Install from Python packages repository:
pip install django-security
If you prefer the latest development version, install from
django-security repository on GitHub:
git clone https://github.com/sdelements/django-security.git
cd django-security
sudo python setup.py install
Adding to Django application's settings.py
file:
INSTALLED_APPS = (
...
'security',
...
)
Pre-Django 1.10, middleware modules can be added to MIDDLEWARE_CLASSES
list in settings file:
MIDDLEWARE_CLASSES = (
...
'security.middleware.DoNotTrackMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)
After Django 1.10, middleware modules can be added to MIDDLEWARE
list in settings file:
MIDDLEWARE = (
...
'security.middleware.DoNotTrackMiddleware',
'security.middleware.ContentNoSniff',
'security.middleware.XssProtectMiddleware',
'security.middleware.XFrameOptionsMiddleware',
)
Unlike the modules listed above, some other modules require configuration settings,
fully described in django-security documentation.
Brief description is provided below.
Middleware
Provided middleware modules will modify web application's output and input and in most cases requires no
or minimum configuration.
Views
csp_report
View that allows reception of Content Security Policy violation reports sent by browsers in response
to CSP header set by ``ContentSecurityPolicyMiddleware`. This should be used only if long term, continuous CSP report
analysis is required. For one time CSP setup CspBuilder is much simpler.
This view can be configured to either log received reports or store them in database.
See documentation for details.
require_ajax
A view decorator which ensures that the request being processed by view is an AJAX request. Example usage:
@require_ajax
def myview(request):
...
Models
CspReport
Content Security Policy violation report object. Only makes sense if ContentSecurityPolicyMiddleware
and csp_report
view are used.
With this model, the reports can be then analysed in Django admin site.
PasswordExpiry
Associate a password expiry date with a user.
Logging
All django-security
modules send important log messages to security
facility. The application should configure a handler to receive them:
LOGGING = {
...
'loggers': {
'security': {
'handlers': ['console',],
'level': 'INFO',
'propagate': False,
'formatter': 'verbose',
},
},
...
}