- 关闭DEBUG模式
- 关闭swagger调试
- 妥善保存SECRET_KEY
- 使用SecurityMiddleware
- 设置SECURE_HSTS_SECONDS开启HSTS头,强制HTTPS访问
- 设置SECURE_CONTENT_TYPE_NOSNIFF输出nosniff头,防止类型混淆类漏洞
- 设置SECURE_BROWSER_XSS_FILTER输出x-xss-protection头,让浏览器强制开启XSS过滤
- 设置SECURE_SSL_REDIRECT让HTTP的请求强制跳转到HTTPS
- 设置SESSION_COOKIE_SECURE使Cookie为Secure,不允许在HTTP中传输
- 设置CSRF_COOKIE_SECURE使CSRF Token Cookie设置为Secure,不允许在HTTP中传输
- 设置CSRF_COOKIE_HTTPONLY为HTTP ONLY
- 设置X_FRAME_OPTIONS返回X-FRAME-OPTIONS: DENY头,以防止被其他页面作为框架加载导致ClickJacking
- 部署前运行安全性检测 django-admin.py checksecure --settings=production_settings
-
-
Save mylamour/311299cc7fb80ad9f6674b2cf4ca02a4 to your computer and use it in GitHub Desktop.
#part of django security#
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment