Skip to content

Instantly share code, notes, and snippets.

@mylamour mylamour/Django-Security.md Secret
Created Sep 14, 2018

Embed
What would you like to do?
#part of django security#
  • 关闭DEBUG模式
  • 关闭swagger调试
  • 妥善保存SECRET_KEY
  • 使用SecurityMiddleware
  • 设置SECURE_HSTS_SECONDS开启HSTS头,强制HTTPS访问
  • 设置SECURE_CONTENT_TYPE_NOSNIFF输出nosniff头,防止类型混淆类漏洞
  • 设置SECURE_BROWSER_XSS_FILTER输出x-xss-protection头,让浏览器强制开启XSS过滤
  • 设置SECURE_SSL_REDIRECT让HTTP的请求强制跳转到HTTPS
  • 设置SESSION_COOKIE_SECURE使Cookie为Secure,不允许在HTTP中传输
  • 设置CSRF_COOKIE_SECURE使CSRF Token Cookie设置为Secure,不允许在HTTP中传输
  • 设置CSRF_COOKIE_HTTPONLY为HTTP ONLY
  • 设置X_FRAME_OPTIONS返回X-FRAME-OPTIONS: DENY头,以防止被其他页面作为框架加载导致ClickJacking
  • 部署前运行安全性检测 django-admin.py checksecure --settings=production_settings
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.