django – Page 6 – WindowsTechs.com

CORS between server on local server and online web server

Posted on August 24, 2017 by thelinuxer

I am developing a POS system. Some of our customers required to have offline operations, so a local server is installed to handle the requests and forwards the requests when the internet is back.

This required me to enable T… Continue reading CORS between server on local server and online web server→

Proxy not rejecting illegal host header when coming from my VM provider’s network

Posted on April 15, 2017 by Escher

I have a django app hosted on a linode VM, proxied by nginx on that same VM.

In my nginx config I have a block to deny bad host header requests:

## Deny illegal Host headers
if ($host !~* ^(mydomain.com|www.mydomain.com)$ )… Continue reading Proxy not rejecting illegal host header when coming from my VM provider’s network→

Proxy not rejecting illegal host header when coming from my VM provider’s network

Posted on April 15, 2017 by Escher

I have a django app hosted on a linode VM, proxied by nginx on that same VM.

In my nginx config I have a block to deny bad host header requests:

## Deny illegal Host headers
if ($host !~* ^(mydomain.com|www.mydomain.com)$ )… Continue reading Proxy not rejecting illegal host header when coming from my VM provider’s network→

Heroku postgres: potential brute force attack

Posted on February 26, 2017 by Johan

I have a Django app running on Heroku using Heroku Postgres.

I was looking at the latest log (something I don’t do very often) and something strange caught my eye. There were all these fatal database errors as shown below:

… Continue reading Heroku postgres: potential brute force attack→

Scirius – Suricata Ruleset Management Web Application

Posted on October 7, 2016 by Darknet

Scirius Community Edition is a web interface dedicated to Suricata ruleset management. It handles the rules file and update associated files. A Ruleset is made of components selected in different Sources. A Source is a set of files providing informatio… Continue reading Scirius – Suricata Ruleset Management Web Application→

CarontePass: Open Access Control For Your Hackerspace

Posted on April 14, 2016 by Jenny List

A problem faced by all collaborative working spaces as they grow is that of access control. How can you give your membership secure access to the space without the cost and inconvenience of having a keyholder on site at all times.

[Torehc] is working on solving this problem with his CarontePass RFID access system, at the Kreitek Makerspace (Spanish, Google Translate link) in Tenerife, Canary Islands.

Each door has a client with RFID readers, either a Raspberry Pi or an ESP8266, which connects via WiFi to a Raspberry Pi 2 server running a Django-based REST API. This server has access …read more

Continue reading CarontePass: Open Access Control For Your Hackerspace→

How much of a Django application could be reverse-engineered if the owner forgot to turn debug mode off?

Posted on November 11, 2015 by personjerry

I’ve been writing a Django app and almost published it with debug mode on. Django’s documentation indicates

Never deploy a site into production with DEBUG turned on.

Did you catch that? NEVER deploy a site into prod… Continue reading How much of a Django application could be reverse-engineered if the owner forgot to turn debug mode off?→

Why is referer checking needed for Django to prevent CSRF

Posted on August 6, 2015 by Mark

Today I learned that Django’s CSRF protection uses refer(r)er header checking in addition to checking a hidden form field against a cookie. It seems to be important, judging from docs and issue below.

It only checks this over HTTPS though. I’ve also noticed that almost no other website checks referer [since I turned off sending of said header and most forms still work].

So I have two questions:

How would the attack work that would be possible without this check? Doesn’t https protect against man-in-the-middle attacks?
How do other websites protect against it? And does Django not project for http?

The info that I found:

https://docs.djangoproject.com/en/1.8/ref/csrf/#how-it-works

In addition, for HTTPS requests, strict referer checking is done by CsrfViewMiddleware. This is necessary to address a Man-In-The-Middle attack that is possible under HTTPS when using a session independent nonce, due to the fact that HTTP ‘Set-Cookie’ headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is not reliable enough under HTTP.)

https://code.djangoproject.com/ticket/16870

Unfortunately, this check is absolutely necessary for the security of Django’s CSRF protection. Without it, we can’t prevent man-in-the-middle attacks on SSL sites. We made the decision that preventing MITM was a more valuable tradeoff than breaking sites for the small minority of users who block the header in a fashion which does not improve privacy.

Continue reading Why is referer checking needed for Django to prevent CSRF→

What are the pros and cons of using sha256 to hash a password before passing it to bcrypt?

Posted on June 22, 2015 by Dan Tao

I recently became aware of the fact that bcrypt truncates passwords to 72 characters. Practically speaking my intuition is that this does not pose any major security problems. However, I understand that it does mean any software libraries … Continue reading What are the pros and cons of using sha256 to hash a password before passing it to bcrypt?→

Is Django vulnerable to shellshock?

Posted on September 25, 2014 by fredley

Does the recent shellshock vulnerability in bash affect stock Django? Assume any of the production setups listed on the Django site are used (gunicorn, wsgi, nginx).

If not, are there any commonly used Django extensions that… Continue reading Is Django vulnerable to shellshock?→