How to add security to your Django website?

Communication through the web happens through a HTTP connection and more often than not you never know who is on the other end. It may be one of your users, but it could also be a malicious hacker searching for an opportunity. Any data from the browser, regardless of its source, should be processed with caution and checked for threats. This includes data from Web forms as well as information from HTTP headers, cookies, and other request metadata.

As Web developers, we have a duty to do what we can to combat these forces of darkness. Every Web developer needs to treat security as a fundamental aspect of Web programming. Unfortunately, it turns out that implementing security is hard.

Attackers need to find only a single vulnerability, but defenders have to protect against every single one. Django attempts to mitigate this difficulty. It is designed to automatically protect you from many of the common security mistakes that new and also experienced web developers make.

Still, it is important to understand what these problems are, how Django protects you, and most importantly the steps you can take to make your code even more secure.

Some of the attacks that pose a threat to security are, SQL injection, cross site scripting(XSS), cross site request forgery (CSRF) and clickjacking protection.

SQL Injection

SQL injection is a popular vulnerability in which an attacker modifies Web page parameters like GET/POST data or URLs to inject arbitrary SQL snippets into a naive Web application's database. This can result in records being deleted or data leakage. It is, without a doubt, the deadliest and, unfortunately, one of the most common vulnerabilities.

Example

Suppose, you have a blog that has a email list to which you send newsletters every week. With time, your email list has grown a lot and consists of a lot of emails. If you want to prevent access to your entire contact list you prompt the user to enter their username and their email address.

Using the username provided you will access the email address and in doing so, you put your data at risk because, the attacker can use the username to inject SQL query to either gather, update or delete your list of email addresses.

Solution

The solution to this problem is to never trust and directly use the user entered data. Always escape it when passing it directly into the SQL. The developer need not worry about hardcoding, the Django database API provides methods to protect your website against this attack. It automatically escapes all special SQL parameters, according to the quoting conventions of the database server you are using such as PostgreSQL or MySQL.

Cross Site Scripting

Web applications that fail to appropriately escape user-submitted text before rendering it into HTML are vulnerable to cross-site scripting (XSS). An attacker can use this to inject arbitrary HTML into your Web page, commonly in the form of a <script> element.

To prevent cross site scripting, the developer ahs to escape the user entered data and not use it directly.

Clickjacking

Clickjacking is a sort of an attack in which a malicious site uses a frame to include another site. An unknowing user may be fooled into doing undesired actions on the target site as a result of this attack.

Django has clickjacking prevention in the form of the X-Frame-Options middleware, which can prevent a site from being rendered inside a frame in a compatible browser.