Reputation: 1646
Why is serving static files insecure
This might be a stupid question and have an obvious answer, but I was testing my 404 and 500 error handlers meaning that I had to switch debug to False. I went to Django admin page and noticed that static files are not being served.
I understand that they should be routed through Apache as serving static files through Django is insecure. However, I don't quite understand why is it a security risk to serve static files through Django directly?
Upvotes: 19
Views: 10453
Answers (1)
Reputation: 718698
Here is what the Django 1.8 documentation says on the subject:
--insecure
Use the
--insecureoption to force serving of static files with the staticfiles app even if theDEBUGsetting isFalse. By using this you acknowledge the fact that it’s grossly inefficient and probably insecure. This is only intended for local development, should never be used in production and is only available if thestaticfilesapp is in your project’sINSTALLED_APPSsetting.
As you can see, they say "grossly inefficient" and "probably insecure". They didn't say "definitely insecure" or "insecure". I think that what they are hinting at is that they haven't done a thorough security analysis of the staticfiles app and its interactions with the rest of Django.
For me, the "grossly inefficient" part should be sufficient to deter you from serving static content. It is easy to do it better ... starting with the collectstatic command.
Some more searching lead me to this Google Groups posting, in response to someone asking about why --insecure is insecure.
From: Malcolm Tredinnick
Nothing can be considered secure unless it is designed and audited for security. We have done neither with the static file server. It may not have existing security holes, but it should not be considered secure because that's not a design goal.
For example, a secure file server would need to check for resource allocation problems so that serving a very large file didn't constitute a denial-of-service attack. That requires a lot of extra code and pipeline management which isn't worth putting into something that's just for development purposes.
... which supports my interpretation.
Upvotes: 34
Related Questions
- Django is not serving staticfiles
- Unable to serve static files correctly in Django app
- Cannot serve static files, Django 1.6
- Django won't serve some static files
- Django seems to strip https from static file URLs – why?
- Django and Serving Static Files
- Serve static files in Django. Need explanation
- Python - Django documentation says this is an insecure way of serving static files - is it true, and if yes, how so?
- Security issues with serving static files through Django?
- Django not serving some static files