Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
We have legacy .exe solution running on industrial client's desktops that I need to port over to Google App Engine. All clients will have the same version of the app, no code customization. We need to be sure that data will not be leaked between different clients of the new GAE app or be snooped on by some external party.
So I have a couple of questions that I hope someone will be able to help me out.
Option 1: Use namespaces to separate client's data. This seems quite robust at the Datastore level; without the proper namespace data would not be served. Since we have the company name of each user, I would presume this would be quite secure against leaks.
Q1: Which precautions do I need to take to avoid someone guessing or hacking at URLs to get to unauthorized data?
Option 2: We could have a separate instance of the code and datastore for each client. This would give the optimal separation between clients.
Q2: Is there a tool or API to "clone" a given GAE app to many clients? We would feed the list of clients and update the code to all those instances in one go.
Thanks!
Which precautions do I need to take to avoid someone guessing or hacking at URLs to get to unauthorized data?
Namespaces are not a security mechanism for Datastore. A user with access to one partition in a project has access to all partitions in the project. Namespaces provide a way to organize your entities within a project.
Is there a tool or API to "clone" a given GAE app to many clients? We would feed the list of clients and update the code to all those instances in one go.
To have completely isolated instances of services, you can create new projects programmatically using the Cloud Resource Manager API and access resources across projects.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
I'm building my first ever web-app in python, haven't even decided on a framework yet,
does it make sense to start out with a MySQL database to manage users and credentials?
or is it a completely ridiculous way to approach it?
what are some existing solutions and best practices for managing user credentials?
The answer is, as always, it depends. There are many ways to build a web app in Python so you'll first need to decide on what you want to build or what technology you want to learn.
If you just want to focus on a Python backend as a learning exercise then you could use Flask which can run as a server and includes many modules to help you get started including managing users. If you plan to expose your app publicly though it is generally recommended to use Apache or some other battle tested server which can route the requests to Flask.
There are other Python frameworks like bottle which I believe is meant to be even simpler than Flask and Django which is more complicated but has more features. It all depends on what you want to do. You can also look at things like dash if you're end goal has a data analysis flavor.
One thing to note though is that managing user credentials is not trivial. It can be a useful exercise if you like to learn and tinker, but to do it correctly youll need to learn about salting passwords, cryptographically secure hashing, session management, https (and ideally which ciphers should be deprecated), how to protect against sql injection (good to know how to do this anyway if you don't already), cross site scripting, CORS, etc. The list goes on. None of these things are exclusively just for managing user credentials but you should understand all the ways things can go south on you.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 4 years ago.
Improve this question
I want to build a webapp with Python back-end. The front-end of the webapp will just have a simple input box where the user puts an address. Then, on the back-end I want to scrape content from the webpage in that address and then process that data. This data processing might become quite heavy.
I'm quite experienced with Python, although with webapps, hosting, and so on, I have zero experience. I bought a domain name and hosting on namecheap, even though I just found out that maybe I won't be needing to use their hosting, as someone in /r/webhosting recommended me to use AWS instead. This was the methodology I was recommended to follow:
switch to AWS (or Azure)
create python lambda/function to do whatever you want to do with this request...
put lambda behind api-gateway
put Cloudfront in front of api-gateway (optional but hey..)
I have seen tutorials to point the namecheap domain into an EC2 instance. But how do I go about doing this with Lambda? Is it the same principle? Can you point me to any tutorials that might teach me how to handle this? Is Lambda actually the optimal solution for this?
Thanks!
This is a great starting point: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-quick-start.html
Aws sam handles creation and deployment of your Lambda and API Gateway. To have your API/web app exposed to a custom domain, you will need to create a AWS ACM SSL certificate and create a custom domain on your API Gateway. Basically it will create a hidden Cloudfront Distribution that you can use to setup your DNS.
Good luck!
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 1 year ago.
Improve this question
I am thinking of creating a content delivery web application using Django with a MySQL database, and after reading the docs a bit I noted that it is possible to create multiple apps in the same project/site directory.
It may or may not apply to what I want to do, but I was wondering what the motivation behind this architecture is. Why would I want multiple web apps in one site?
For example, Youtube was built around the Django framework, but the entire experience works seamlessly as one application? Is Youtube actually one large web application, or does the project use many applications packaged as one product? If so, why would that be a better option?
There's a good explanation about it in the django docs here and here.
From my own experience: it helps you to organize your code. If you're planning to create a small application it may not need more than one django application. But it you want to create medium or large applications you can take advantages of this approach. Some of useful cases:
Authentication
Blog
Split your RESTFul API based on resources (e.g. clients, invoices, users, etc)
Logging
Chat
Hope that helps a bit.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I know this is technically a duplicate question, but I believe it is valid since the original question was submitted 7 years ago and Python/web security has come a long way since then.
I would like to build a web app that allows users to input python code (through the Ace editor package) and then execute it in the browser using a python interpreter on the server. I cannot use pypy.js because I need to use numpy, pandas, and matplotlib. Essentially I would like to make my own Codecademy (I am a teacher and would like to create Codecademy-like courses for my students). Sadly the create-a-course thing Codecademy mentioned at one point has come to nothing.
I'm using Flask, but I could learn Django if that would be easier.
What is the best way to allow my users to run the python code without allowing them to affect the rest of the program or access files outside of what they're allowed to?
There were no fundamental changes in Python or web security the last 7 years. It is still suicidal to allow users to run code on your server.
However, what did change is the availability of lightweight VM solutions like docker.
For an example how this could work have a look at https://civisanalytics.com/blog/engineering/2014/08/14/Using-Docker-to-Run-Python/ . I will not reference this solution here as you will found other examples, even if this one goes away.
However, this might be more safe then running user code direct on your server, BUT
the user code is still running on your server. It might be not possible to escape the docker image, but a malicious user could still upload for eg. a denial of service tool and start an attack from your server. Or sniff your network traffic or whatever.
there are or at least might be ways to break out of the docker image.
For a controlled environment like a classroom those risks might be acceptable, but for a public server you would need a lot of security know how to further lock down the server and the docker image and filter available python functionality.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I'm building a fairly large enterprise application made in python that on its first version will require network connection.
I've been thinking in keeping some user settings stored on the database, instead of a file in the users home folder.
Some of the advantages I've thought of are:
the user can change computers keeping all its settings
settings can be backed up along with the rest of the systems data (not a big concern)
What would be some of the caveats of this approach?
This is pretty standard. Go for it.
The caveat is that when you take the database down for maintenance, no one can use the app because their profile is inaccessible. You can either solve that by making a 100%-on db solution, or, more easily, through some form of caching of profiles locally (an "offline" mode of operations). That would allow your app to function whether the user or the db are off the network.
One caveat might depend on where the user is using the application from. For example, if they use two computers with different screen resolutions, and 'selected zoom/text size' is one of the things you associate with the user, it might not always be suitable. It depends what kind of settings you intend to allow the user to customize. My workplace still has some users trapped on tiny LCD screens with a max res of 800x600, and we have to account for those when developing.
Do you need the database to run any part of the application? If that's the case there are no reasons not to store the config inside the DB. You already mentioned the benefits and there are no downsides.
It's perfectly reasonable to keep user settings in the database, as long as the settings pertain to the application independent of user location. One possible advantage of a file in the user's home folder is that users can send settings to one another. You may of course regard this as an advantage or a disadvantage :-)