Security
Security is a critical aspect of any software development process. It involves implementing measures to protect software applications from threats and vulnerabilities. This includes secure coding practices, regular security audits, and using tools to identify and mitigate risks.
π 1. Hashing
| Feature | Description |
|---|---|
| What | One-way transformation of data |
| Use Case | Secure password storage, file integrity checks |
| Can be reversed? | β No |
| Common Algorithms | SHA-256, bcrypt, PBKDF2, Argon2 |
π§ Web Use
- Store only the hashed + salted password (e.g. Django uses
PBKDF2by default). - Never store plain passwords.
- Validate with
check_password().
π 2. Encryption
| Feature | Description |
|---|---|
| What | Reversible encoding using a key |
| Use Case | Secure transmission (HTTPS), data at rest |
| Can be reversed? | β Yes, with key |
| Types | Symmetric (AES), Asymmetric (RSA) |
π§ Web Use
- TLS/SSL encrypts HTTP traffic (HTTPS).
- Encrypt sensitive database fields (e.g. card details) using Django-encrypted-fields or Fernet.
π 3. Keys (Symmetric & Asymmetric)
| Type | Use | Example |
|---|---|---|
| Symmetric | Same key for encrypt/decrypt | AES |
| Asymmetric | Public key encrypts, private key decrypts | RSA, HTTPS certificates |
π§ Web Use
- HTTPS uses TLS with asymmetric keys to establish secure sessions.
- JWTs are signed with private keys (asymmetric) or HMAC secrets (symmetric).
π 5. JWT (JSON Web Token)
- Compact, self-contained token used for stateless authentication.
- Contains
header,payload, andsignature.
π§ Web Use
- Used in APIs to authenticate users (
Authorization: Bearer <token>). - Must be signed and verified with a secret.
π§ͺ 7. CSRF (Cross-Site Request Forgery)
What | Attack where logged-in users are tricked into submitting unintended requests |
Prevent with | CSRF tokens,
Prevent with | CSRF tokens,
SameSite cookies, checking Origin headers |π§ Web Use
- Django includes CSRF protection out of the box.
- You must use
{% csrf_token %}in HTML forms. - Not needed for stateless JWT APIs.
π§Ό 8. XSS (Cross-Site Scripting)
What | Inject malicious JS into pages |
Types | Stored, Reflected, DOM |
Prevent with | Escaping output, input validation, Content Security Policy (CSP) |
Types | Stored, Reflected, DOM |
Prevent with | Escaping output, input validation, Content Security Policy (CSP) |
π§ Web Use
- Never render raw HTML from users.
- Django auto-escapes
{ variable }.
π 9. CORS (Cross-Origin Resource Sharing)
What | Controls which origins can access your API |
Prevents | Unauthorized frontend domains from calling your backend |
Headers |
Prevents | Unauthorized frontend domains from calling your backend |
Headers |
Access-Control-Allow-Origin, Access-Control-Allow-Credentials |π§ Web Use
- Use
django-cors-headersto allow trusted origins (e.g., your React frontend).
π 10. HTTPS and SSL/TLS
What | Encrypts traffic between client and server |
Why | Prevents MITM (Man-in-the-Middle) attacks |
Implement with | TLS certificates (e.g., Letβs Encrypt) |
Why | Prevents MITM (Man-in-the-Middle) attacks |
Implement with | TLS certificates (e.g., Letβs Encrypt) |
π§ Web Use
- Use HTTPS in production.
- Redirect all HTTP traffic to HTTPS.
π¦ 11. Rate Limiting & Throttling
What | Limits API usage per user/IP |
Prevents | Abuse, brute force, scraping |
Tools | Django Ratelimit, DRF throttling |
Prevents | Abuse, brute force, scraping |
Tools | Django Ratelimit, DRF throttling |
π§ Web Use
REST_FRAMEWORK = {
'DEFAULT_THROTTLE_CLASSES': [
'rest_framework.throttling.UserRateThrottle',
'rest_framework.throttling.AnonRateThrottle',
],
'DEFAULT_THROTTLE_RATES': {
'user': '1000/day',
'anon': '100/day',
}
}π§Ύ 12. Secure HTTP Headers
| Header | Purpose |
|---|---|
X-Frame-Options: DENY |
Prevent clickjacking |
X-Content-Type-Options: nosniff |
Stop MIME-type attacks |
Content-Security-Policy |
Prevent inline scripts |
Strict-Transport-Security |
Enforce HTTPS |
π§ Web Use
- Use Djangoβs
SecurityMiddlewareand tools likedjango-secure.
π§ 13. Security Practices for Web Developers
| Task | Best Practice |
|---|---|
| Store passwords | Use make_password() and check_password() (Django) |
| Store secrets | Use .env files or secret managers (e.g., AWS SSM) |
| Input validation | Validate both client and server-side |
| Error handling | Donβt expose stack traces to users |
| Logging | Log auth failures, unusual access patterns |
| Dependency checks | Use pip-audit, safety to check vulnerable packages |
β Security Checklist Summary
| Area | What to Do |
|---|---|
| Passwords | Hash + salt |
| Sessions | Secure cookies |
| APIs | Use tokens (JWT, OAuth) |
| CORS | Allow only trusted domains |
| CSRF | Protect forms and cookies |
| XSS | Escape output |
| HTTPS | Use TLS and redirect HTTP |
| Headers | Set security headers |
| Secrets | Keep out of codebase |
| Logs | Monitor failures + suspicious events |