Security is our first priority. We try to make projects as secure as possible. We use a lot of 3rd party tools to achieve that.
Django has a lot of security-specific settings that are all turned on by default in this template.
We also enforce all the best practices
django checks inside CI for each commit.
We also use a set of custom
to enforce even more security rules:
django-axes to track and ban repeating access requests
django-csp to enforce Content-Security Policy for our webpages
django-http-referrer-policy to enforce Referrer Policy for our webpages
And there are also some awesome extensions that are not included:
django-honeypot - django application that provides utilities for preventing automated form spam
We use strong algorithms for password hashing:
Argon2 which are known to be secure enough.
We use poetry which ensures that all the dependencies hashes match during the installation process. Otherwise, the build will fail. So, it is almost impossible to replace an already existing package with a malicious one.
We also use safety to analyze vulnerable dependencies to prevent the build to go to the production with known unsafe dependencies.
We also use Github security alerts for our main template repository.
includes bandit security checks inside.
You can also install pyt
which is not included by default.
It will include even more static checks for
xss and others.
You can monitor your running application to detect anomalous activities. Tools to consider:
dagda - a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
All the tools above are not included into this template. You have to install them by yourself.
We store secrets separately from code. So, it is harder for them to leak. However, we encourage to use tools like truffleHog or detect-secrets inside your workflow.
You can also turn on Gitlab secrets checker which we highly recommend.
The only way to be sure that your app is secure is to constantly audit it in production.
There are different tools to help you:
twa - tiny web auditor that has a lot of security checks for the webpages
XSStrike - automated tool to check that your application is not vulnerable to
docker-bench - a script that checks for dozens of common best-practices around deploying Docker containers in production
lynis - a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system
trivy - a simple and comprehensive vulnerability scanner for containers
But, even after all you attempts to secure your application, it won’t be 100% safe. Do not fall into this false feeling of security.