6  Django Security Controls

Create Super User

mvp24 main = $(.venv)  python manage.py createsuperuser
Username (leave blank to use 'jerem'): jeremy
Email address: jeremy@mrchen.org
Password:
Password (again):
This password is entirely numeric.
Bypass password validation and create user anyway? [y/N]: y
Superuser created successfully.

settings.py

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

6.0.1 Understanding CSRF (Cross-Site Request Forgery)

6.0.1.1 What is CSRF?

CSRF stands for Cross-Site Request Forgery. It is a type of security vulnerability where an attacker tricks a user into executing unwanted actions on a web application in which they are authenticated. Unlike XSS, which exploits a user’s trust in a website, CSRF exploits the website’s trust in the user’s browser.

6.0.1.2 How CSRF Works

  1. User Authentication: The user logs into a trusted website (e.g., their bank) and maintains an authenticated session through cookies.

  2. Visit a Malicious Site: While still logged into the trusted site, the user unknowingly visits a malicious website or clicks on a malicious link.

  3. Unwanted Action Triggered: The malicious site sends a request to the trusted website using the user’s browser, leveraging the user’s authenticated session to perform actions without their consent, such as transferring funds or changing account details.

6.0.1.3 CSRF Example

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Contact Form</title>
</head>
<body>
    <h1>Contact Us</h1>
    <form method="post" action="/contact/">
        {% csrf_token %}
        <label for="name">Name:</label><br>
        <input type="text" id="name" name="name" required><br><br>

        <label for="email">Email:</label><br>
        <input type="email" id="email" name="email" required><br><br>

        <label for="message">Message:</label><br>
        <textarea id="message" name="message" rows="4" cols="50" required></textarea><br><br>

        <input type="submit" value="Submit">
    </form>
</body>
</html>
csrf_tiken

Don’t forget to include the {% csrf_token %} tag in your forms when using Django. This token is crucial for protecting your application against CSRF attacks by verifying that the form submission comes from a valid user session.

6.0.1.4 CSRF vs. XSS

While both CSRF and XSS are web security vulnerabilities, they differ in their approach and impact:

  • CSRF (Cross-Site Request Forgery):
    • Exploits: The trust that a website has in the user’s browser session.
    • Impact: Forces users to perform actions they did not intend, using their authenticated session.
    • Example: An attacker tricks a user into clicking a link that transfers funds from their bank account.
  • XSS (Cross-Site Scripting):
    • Exploits: The trust that a user has in the content displayed by a website.
    • Impact: Executes malicious scripts in a user’s browser to steal data, hijack sessions, or manipulate page content.
    • Example: An attacker injects a script into a forum post that steals cookies from users who view the post.

6.0.1.5 Preventing CSRF

To protect web applications from CSRF attacks, developers should implement the following measures:

  • CSRF Tokens: Use unique, unpredictable tokens for each session and include them in every form submission. These tokens help verify that the request originated from the legitimate user.

  • SameSite Cookies: Set the SameSite attribute on cookies to restrict how they are sent with requests from other sites, helping to prevent CSRF attacks.

  • Double Submit Cookie Pattern: Send a CSRF token in both a cookie and a form parameter, then verify that both match on the server.

  • Verify Referer Header: Check the Referer header to ensure requests originate from the same site.

6.0.1.6 Conclusion

CSRF is a significant security threat that can lead to unauthorized actions in a user’s account without their knowledge. By understanding the mechanisms of CSRF and implementing preventive measures, developers can protect their applications and users from these attacks. Learning about both XSS and CSRF provides a broader understanding of web security vulnerabilities and the importance of safeguarding web applications.

6.1 CSRF Token in Form