Django
Django Security
CSRF, XSS, clickjacking, and secure settings
Django Security
- CSRF — token on POST forms; middleware validates
- XSS — templates auto-escape variables; avoid
|safeon user HTML - SQL injection — ORM uses parameterized queries
- Clickjacking —
XFrameOptionsMiddleware
# Production settings excerpt
DEBUG = False
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_HSTS_SECONDS = 31536000