Reputation: 13329
How secure is Django
A client of mine asked me this question. I am not even sure what to reply ? I am no security expert, just a web dev. What can must I say ?
Upvotes: 26
Views: 23034
Answers (5)
Reputation: 1865
Django is one of the most secure web frameworks. Django provides ways to protect against some common web application vulnerabilities out of the box such as -
- SQL Injection
- CRLF Injection
- Timing Attack
- Clickjacking Attack
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- HTTP Strict Transport Security (SSL)
- Session Hijacking
- Denial of Service (DoS)
- Miscellaneous
I had a similar situation, then I went through official documentation and multiple resources. I gathered and compiled all the details here-
https://gauravvjn.medium.com/secrets-of-security-in-a-django-application-0dfb41957eb0
Upvotes: 4
Reputation: 11
Security in Django - By default, Django prevents most common security mistakes: Cross site scripting (XSS) protection Cross site request forgery (CSRF) protection SQL injection protection Clickjacking protection SSL/HTTPS Host header validation
Upvotes: 1
Reputation: 134631
By default, Django prevents most common security mistakes:
- XSS (cross-site scripting) protection — Django template system by default escapes variables, unless they are explicitly marked as safe.
- CSRF (cross site request forgery) protection — easy to turn on globally, guarantees that forms (POST requests) are sent from your own site.
- SQL injection protection — Django uses built-in ORM, thus there is no risk of SQL injection (raw queries are possible, but by no means something that a beginner would need to use).
Additional security features:
- Clickjacking protection — Django can detect when the content is requested from unauthorized
iframe - Safe password hash — Django by default uses PBKDF2, another option is bcrypt. Both are resilient to usage of rainbow tables (thanks to salt), both have significant compute time to prevent easy bruteforce.
It's also important to note, that Django is implemented in Python, which has excellent security track record. Thus the underlying language is not a security risk.
More on Django security: https://docs.djangoproject.com/en/stable/topics/security/
Upvotes: 32
Reputation: 4446
Django is as secure as any web framework can be. It provides tools and doc to prevent common mistakes causing security problems (csrf, xss, etc.)
However, a tool in itself cannot be "secure". The whole platform security depends on the proper use of the tools you choose, and thus is more a matter of developer skills.
Upvotes: 17
Reputation: 3288
As a web framework it hat some functions that will help you in making your site secure. You can't directly say of a web-framework it is secure.
In the end its all about how your client designs his project. Django is used in big projects and therefore it has proven to be used in a production environment. DISQUS is one of the best examples for that.#
If your client is willing to put some effort into securing his site he will be fine with django or any other framework but its not the framework that makes a site secure its how a developer uses the framework.
Upvotes: 8
Related Questions
- Django, Security and Settings
- Is the default django development server secure or can others access it?
- Is my custom login safe?
- How Secure Is Too Secure in OAuth 2.0?
- using django apps vs established apps...security?
- Insecure version of Django
- How can I secure a Django site
- How insecure is this?
- Django view security and best-practices
- Is Django a good choice for a security critical application?