Security
Djangae-scaffold provides a good skeleton project setup with various security libraries included and settings configured as a starting point.
Djangae also provides the following features to aid security:
Security Middleware
djangae.contrib.security.middleware.AppEngineSecurityMiddleware
is a Django middleware which
patches certain parts of App Engine and its libraries, specifically:
- The Python
yaml
library is patched so that the default loader isyaml.loader.SafeLoader
in order to prevent arbitrary Python code execution. - The Python
json
library is patched so that the default encoder class escapes the HTML entities<
,>
and&
.
This middleware applies the patches and then raises django.core.exceptions.MiddlewareNotUsed
so that it does not re-apply the patches on subsequent requests. Note that in tests which don't load any middleware the patches will not be applied.
dumpurls
Management Command
Use the dumpurls
management command to generate a report listing all the configured URL patterns in your project.
For each pattern, the report shows the regular expression for the full path, the Python dotted module name for the view that handles requests, and the names of decorators that may have been applied to the view.
Supports the following optional parameters:
--show_allowed_methods
HTTP methods supported by this view (CBVs only)--show_class_parents
CBVs only. Shows which classes this view inherits from--output_file_type
Export dumpurl data to a json or csv file. Choices:json
orcsv
CSRF session check
The built in Djangae checks enforce the use of session-based (rather than cookie-based) CSRF tokens. To satisfy this check
the CSRF_USE_SESSIONS
setting must be True.