Proposed text: Take a look at the Open Web Application Security Project (OWASP) Top 10 list <https://www.owasp.org/index.php/Top_10_2013-Top_10> which identifies some common vulnerabilities in web applications. While Django has tools to address some of the issues, other issues must be accounted for in the design of your project.
(linked to https://www.owasp.org/index.php/Top_10_2013-Top_10) https://github.com/django/django/pull/6425 On Wednesday, April 6, 2016 at 5:03:24 AM UTC-4, Erik Cederstrand wrote: > > > > Den 6. apr. 2016 kl. 07.29 skrev Anssi Kääriäinen <akaa...@gmail.com > <javascript:>>: > > > > It is notable that if the number of items is a secret (say, you don't > > want to reveal how many sales items you have), just having information > > about sequential numbers is bad. In that case you should use UUID, > > which the documentation could point out. > > If anything about your data is sensitive, then there are a pile of side > channels that putting your data online could expose. URLs are just one. For > an entertaining read, google "German tank problem". > > Giving specific security advice in the documentation that doesn't strictly > refer to Django features could IMO lead to the false expectation that > you're magically secure if you follow the advice. I would prefer that the > documentation simply pointed to further reading, e.g. OWASP. > > Erik -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/17a7595b-821b-4ab2-95c8-3bc54b7650d7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
