• This repository has been archived on 01/Apr/2020
  • Stars
    star
    464
  • Rank 94,450 (Top 2 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created over 13 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This project was merged into Django 1.8, and is now unsupported and unmaintained as a third-party app.

django-secure

Warning

This project was merged into Django 1.8. It does not provide any additional checks beyond those included in Django 1.8+, so there is no reason to use it with Django 1.8+. Since Django 1.8 is now the lowest supported Django version, this project is now unsupported and un-maintained.

Helping you remember to do the stupid little things to improve your Django site's security.

Inspired by Mozilla's Secure Coding Guidelines, and intended for sites that are entirely or mostly served over SSL (which should include anything with user logins).

Quickstart

Dependencies

Tested with Django 1.4 through trunk, and Python 2.6, 2.7, 3.2, and 3.3. Quite likely works with older versions of both, though; it's not very complicated.

Installation

Install from PyPI with pip:

pip install django-secure

or get the in-development version:

pip install django-secure==dev

Usage

  • Add "djangosecure" to your INSTALLED_APPS setting.
  • Add "djangosecure.middleware.SecurityMiddleware" to your MIDDLEWARE_CLASSES setting (where depends on your other middlewares, but near the beginning of the list is probably a good choice).
  • Set the SECURE_SSL_REDIRECT setting to True if all non-SSL requests should be permanently redirected to SSL.
  • Set the SECURE_HSTS_SECONDS setting to an integer number of seconds and SECURE_HSTS_INCLUDE_SUBDOMAINS to True, if you want to use HTTP Strict Transport Security.
  • Set the SECURE_FRAME_DENY setting to True, if you want to prevent framing of your pages and protect them from clickjacking.
  • Set the SECURE_CONTENT_TYPE_NOSNIFF setting to True, if you want to prevent the browser from guessing asset content types.
  • Set the SECURE_BROWSER_XSS_FILTER setting to True, if you want to enable the browser's XSS filtering protections.
  • Set SESSION_COOKIE_SECURE and SESSION_COOKIE_HTTPONLY to True if you are using django.contrib.sessions. These settings are not part of django-secure, but they should be used if running a secure site, and the checksecure management command will check their values.
  • Ensure that you're using a long, random and unique SECRET_KEY.
  • Run python manage.py checksecure to verify that your settings are properly configured for serving a secure SSL site.

Warning

If checksecure gives you the all-clear, all it means is that you're now taking advantage of a small selection of easy security wins. That's great, but it doesn't mean your site or your codebase is secure: only a competent security audit can tell you that.

Documentation

See the full documentation for more details.

More Repositories

1

django-form-utils

[UNMAINTAINED] Form enhancements for Django (fieldset and row-attrs support, and more)
Python
145
star
2

django-transaction-hooks

Django database backends with post-transaction-commit hooks. Merged into Django 1.9; please report bugs or make feature requests in core Django, not here.
Python
108
star
3

synology-mediamon

Auto-indexing media files monitor for Synology DiskStation NAS
Python
84
star
4

django-adminfiles

[MIRROR] File uploader/manager/picker for Django admin; see demo screencast at http://vimeo.com/8940852
Python
64
star
5

django-testing-slides

Talk given at PyCon 2012 on Django and testing.
JavaScript
60
star
6

django-icanhaz

Embed icanhaz.js templates into Django templates with minimal fuss.
Python
29
star
7

django-localeurl

[MIRROR] A Django appliation to allow transparently specifying the language of a page in the URL (e.g. example.com/en/some/url/). By Joost Cassee.
Python
13
star
8

pytest-smartcov

Smart coverage measurement for py.test.
Python
12
star
9

pipvirtualenv-preso

presentation on pip and virtualenv for PyCon 2011
JavaScript
12
star
10

fern

Yet another env config parser.
Python
12
star
11

dotfiles

my dotfiles
Emacs Lisp
10
star
12

django-errorstack

[MIRROR] Django integration for ErrorStack.com error reporting service.
Python
8
star
13

wsgiwatcher

Unmaintained proof of concept. See https://github.com/Pylons/hupper for an improved and maintained version of this.
Python
6
star
14

tamingdeps

DjangoCon US 2011 talk on "taming dependencies with pip"
JavaScript
5
star
15

compfinder

Tool for finding class-scoped comprehensions whose name resolution might be impacted by PEP 709
Python
3
star
16

compgenerator

Comprehension compilation fuzzer
Python
2
star
17

nunjucks-call

An implementation of the 'call' tag for nunjucks
JavaScript
2
star
18

tipbof2012-slides

2
star
19

carljm.me

HTML
1
star
20

formrenderbench

Django form rendering benchmarks
Python
1
star
21

FotoFun

Objective-C
1
star
22

Wonderment

Python
1
star
23

clue

Clue game solver.
Python
1
star