A handy security checklist
Security is not an afterthought but is instead integral to the way you write applications. However, being human, it is handy to have a checklist to remind you of the common omissions.
The following points are a bare minimum of security checks that you should perform before making your Django application public:
- Don't trust data from a browser, API, or any outside sources: This is a fundamental rule. Make sure you validate and sanitize any outside data.
- Don't keep
SECRET_KEY
in version control: As a best practice, pickSECRET_KEY
from the environment. Check out thedjango-environ
package. - Don't store passwords in plain text: Store your application password hashes instead. Add a random salt as well.
- Don't log any sensitive data: Filter out the confidential data such as credit card details or API keys from your log files.
- Any secure transaction or login should use SSL: Be aware that eavesdroppers in the same network as you are could listen to your web...