I've just got vulnerability report that came from pentesters for my Django project. The report says my Django app is vulnerable to the BREACH ATTACK. SSL is active, cookies are flagged as secure, session cookies are set as secure. HTTP Compressions closed by the sysadmin it is controlled from the Nginx that I have no access. So gzip is closed. Now I want to randomize csrf token for per client-side request for the django admin, especially for the login page. Is there a way to do this in settings.py in a simple way or do I have to write custom admin view? What is the best practice for this issue?
Related
I have working Django project. Now i want to add FastAPI so at existing django templates i can make API requests to refresh data without reloading whole template (like tables for example).
The question is how to connect FastAPI to existing django authentication system, so it can use sessions from db, so that user authenticate only once, when logging in to django project.
Here some options i have investigated:
Change django base authentication to oauth2, also set fastapi to oauth2 (though i desire to configure fastapi, not changing django)
Fetch django sessions from db on each api request and verify user
Both django and fastapi on the same server and can share the same db.
Maybe some better options are possible. Please advice what would be the best approach to use django already authenticated user data with fastapi? Thx
I have a Django project that will ultimately consist of three apps. Two of which will be "normal" Django apps, the third is a djangorestframework app. I also plan on creating a desktop client for the project at some point.
I want the rest app to be the only entity communicating with the database. Hence I use requests to communicate with the rest endpoints from the views of the "normal" Django apps and I will do the same for the desktop client. I want all apps to be accessible only for authenticated users, so I'm using Django's authentication backend.
My question is how to pass on the authenticated user/session from the pure Django apps to the rest endpoints when using requests in the views.
I managed to authenticate on the rest API using request's HTTPBasicAuth, but that requires me to have the user's password at hand in plain text. Sure, I could create a technical user to do these requests. But that would also mean that each and every request would need to go through authentication first and that doesn't feel like the best approach.
I have tried to extract the session cookie from the request object that is provided to the views and pass it on through requests.get, but did not manage to put it into the requests.get call the right way.
As of now, using requests and the established sessions looks like my best bet, especially since that will be the way the desktop client will do things, too. So I'm currently looking for the right way to provide requests.get with the session cookie, but I'm certainly open for better solutions.
You should use tokens.
Basically any kind of authentication out of your django project should be managed with secure tokens.
And yes, authentication check should happen everytime you send a request. To make it faster, you can store tokens in memory. (You can use redis or maybe even load your db on memory or ... ) but this is the right and common way to it. Even django does this check everytime using it's builtin functions.
DRF docs recommended some few packages to manage these tokens:
DRF: Third party packages
I used knox for many projects and it's pretty good.
Basically to authenticate your users over all of your projects or microservices, you have to take the token from user, set it as header or ... for your request to the main database or authentication project.
Most of the apps use token in headers which you can simply add to all of your requests calls:
Requests docs: Custom Headers
One of my projects I have developed backend API using Django REST Framework and mobile app using React Native. I have done the following things:
When the users log in I store their username in local (mobile) database.
When users post data I send the username to server reading from local database along with the POST data.
I check whether the user is logged in or not using the username and then process the request.
My question is: am I doing it in the right way? If no then what are the right procedures to do this kind of authentication checking?
How are you authenticating your users? It sounds like your using sessions authentication which is fine as long as both ends are on the same doamin. Then you just use the request.user object as you normal would in a non-api setting. I would recommend using Django-rest-framework-Jwt https://github.com/GetBlimp/django-rest-framework-jwt Json Web Tokens do not require you to store a bunch of information in sessions on your server keeping things faster.
Here is a good example of implementing jwt if your interested https://www.techiediaries.com/django-rest-framework-jwt-tutorial/
I am using Django framework for my backend support for a mobile app.
I choose to use the original Django's views.py to get my API url mapping and dump JSON for response, rather than using other REST frameworks like Django REST Framwork or TastiPie.
Now if I make a cross domain HTTP Request from my mobile client app. normally I will get a 403 Forbidden error because of Django's built-in CSRF protection. It seems like it can only work when I exempt it explicitly before each function in views.py. My question is, is it safe to exempt the protection? If exempt csrf is not a good way to do, what suggestions do you have on my situation?
Thanks
I'm trying to figure out how to make the Django test client play nice with my app that puts each user on it's own subdomain. i.e. each account has account1.myapp.com, account2.myapp.com.
A user could be members of multiple subdomains (similar basecamp's model) so i handle which subdomain the request is being issued against in middleware.
As I'm writing my unit tests, I realized that all requests are issued to "http://testserver" which my middleware then redirects and the subsequent 302 is not followed as it's determined to be an external request.
Anyone aware of a way to enable this with the test client? I'm currently hacking a bit in django to enable it.
in your tests, when using the client, add the HTTP_HOST parameter:
response = c.post(reverse('my-url'), data={}, HTTP_HOST='account1.myapp.com')
on your middleware now you should see the host changed!