Re: [Django] #14201: Add a "security overview" page to the docs

Tue, 31 May 2011 09:21:20 -0700 

#14201: Add a "security overview" page to the docs
---------------------------------------+-------------------------------
               Reporter:  russellm     |          Owner:  davidfischer
                   Type:  New feature  |         Status:  new
              Milestone:               |      Component:  Documentation
                Version:  1.2          |       Severity:  Normal
             Resolution:               |       Keywords:  security
           Triage Stage:  Accepted     |      Has patch:  1
    Needs documentation:  0            |    Needs tests:  0
Patch needs improvement:  0            |  Easy pickings:  0
---------------------------------------+-------------------------------

Comment (by lukeplant):

 This patch is a great start. We should also include:

  * SQL injection (I know, Django makes you forget it even exists, isn't it
 wonderful?)
  * Clickjacking

 I think we should also have a dedicated section on SSL, and how to really
 get that hardened, which really requires setting both
 SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to be `True`. That in turn
 might bring up the subject of how to securely redirect HTTP traffic to
 HTTPS. which is tricky due to reverse proxies. (See #14597 - warning: epic
 ticket!). I'm happy to write this bit, having some experience here.

 Regarding OWASP - I don't think their stuff on CSRF is up to much,
 especially their [https://www.owasp.org/index.php/Cross-
 Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet prevention cheat
 sheet], so perhaps we shouldn't link to that. I've corresponded with them
 by e-mail at length, and pointed out the flaws in their argument regarding
 using CSRF tokens in the query string, but they didn't seem interested in
 fixing that page. I'd fix it myself, except you need permissions, and my
 requests for an account have gone unheeded (though they said I was welcome
 to edit it), and eventually I got worn out trying to improve things.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/14201#comment:8>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Reply via email to