Djangae-scaffold provides a good skeleton project setup with various security libraries included and settings configured as a starting point.
Djangae also provides the following features to aid security:
djangae.contrib.security.middleware.AppEngineSecurityMiddleware is a Django middleware which
patches certain parts of App Engine and its libraries, specifically:
- The Python
yamllibrary is patched so that the default loader is
yaml.loader.SafeLoaderin order to prevent arbitrary Python code execution.
- The Python
jsonlibrary is patched so that the default encoder class escapes the HTML entities
This middleware applies the patches and then raises
django.core.exceptions.MiddlewareNotUsed so that it does not re-apply the patches on subsequent requests. Note that in tests which don't load any middleware the patches will not be applied.
dumpurls Management Command
dumpurls management command to generate a report listing all the configured URL patterns in your project.
For each pattern, the report shows the regular expression for the full path, the Python dotted module name for the view that handles requests, and the names of decorators that may have been applied to the view.
Supports the following optional parameters:
--show_allowed_methodsHTTP methods supported by this view (CBVs only)
--show_class_parentsCBVs only. Shows which classes this view inherits from
--output_file_typeExport dumpurl data to a json or csv file. Choices:
CSRF session check
The built in Djangae checks enforce the use of session-based (rather than cookie-based) CSRF tokens. To satisfy this check
CSRF_USE_SESSIONS setting must be True.