Skip to content

Instantly share code, notes, and snippets.

@yshalsager

yshalsager/Decoupled Django.md

Created February 22, 2024 19:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yshalsager/40bbf00792417d9d7ddfc95218eb9694 to your computer and use it in GitHub Desktop.
Save yshalsager/40bbf00792417d9d7ddfc95218eb9694 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Decoupled Django.md

<<Valentino Gagliardi - Decoupled Django_ Understand and Build Decoupled Django Architectures for JavaScript Front-ends-Apress (2021)>>Hypermedia All the Things 2024-02-16 11:45  |  Page No.: 21 As you can see, we say users, not user, when retrieving the resource. As a convention, resources should always be plural.

2024-02-16 11:47  |  Page No.: 22 some HTTP verbs are idempotent, meaning that the result of the operation is always stable.

2024-02-16 11:47  |  Page No.: 22 A POST request instead will always induce a side effect, that is, create a new resource

Cacheable 2024-02-16 11:57  |  Page No.: 24 A well-designed REST API should always give the client hints about the lifetime of a GET response. To do so, the backend sets a Cache-Control header on the response with a max-age directive,

2024-02-16 11:58  |  Page No.: 25 Cache-Control: max-age=3600

2024-02-16 11:59  |  Page No.: 25 Another method for enabling HTTP caching involves the Last-Modified header.

2024-02-16 11:59  |  Page No.: 25 When the client requests the same resource and max-age is not yet expired, the response is fetched from the browser’s cache, not from the server. If max-age has expired, the client issues a request to the server by attaching the If-None-Match header, alongside with the value from the ETag. This mechanism is known as a conditional request. If the resource is still fresh, the server responds with 304 Not Modified, hence avoiding unnecessary exchange of data. If the resource instead is stale, that is, it’s expired, the server responds with a fresh response.

2024-02-16 12:00  |  Page No.: 25 responses with the Authorization header set aren’t cached by default, unless the Cache-Control header includes the public directive.

Wireframing the Billing App 2024-02-19 11:41  |  Page No.: 79 Having the UI in mind before writing any code is important; this is an approach known as outside-in development. By looking at the interface, we can begin to think about what API endpoint we need to expose.

Django Settings for Production 2024-02-19 13:20  |  Page No.: 103 Django Settings for Production

2024-02-19 13:20  |  Page No.: 103 SECURE_SSL_REDIRECT: Ensures that every request via HTTP gets redirected to HTTPS • ALLOWED_HOSTS: Drives what hostnames Django will serve

Authentication and Cookies in Django 2024-02-19 13:20  |  Page No.: 107 Note A popular alternative to Fetch, axios can help with an interceptor feature. It’s convenient for attaching cookies or other headers globally, on each request

Randomize the Admin URL 2024-02-19 13:21  |  Page No.: 108 With CSRF_COOKIE_SECURE and SESSION_COOKIE_SECURE set to True, we ensure that session authentication related cookies are transmitted only over HTTPS.

2024-02-19 13:21  |  Page No.: 108 Randomize the Admin URL

Audit Logging 2024-02-19 13:22  |  Page No.: 109 In addition to HTTPS, we can also configure Django to attach an HTTP header named StrictTransport-Security to the response. By doing so, we ensure that browsers will connect to our websites only through HTTPS. This feature is called HSTS, and while Django has HSTS-related settings, it is common practice to add these headers at the webserver/ proxy level.

2024-02-19 13:22  |  Page No.: 109 The website https://securityheaders.com offers a free scanner that can help in identifying what security headers can be added to the NGINX configuration.

Cross-Origin Resource Sharing 2024-02-19 13:22  |  Page No.: 110 There are a couple of packages for Django to add audit logging capabilities: • django-simple-history • django-auditlog django-simple-history can track changes on models. This capability, paired with access logging, can provide effective audit logging for Django projects. django-simplehistory is a mature package, actively supported. On the other hand, django-auditlog provides the same functionalities, but it is still in development at the time of this writing.

2024-02-19 13:23  |  Page No.: 110 When JavaScript attempts to fetch a resource from a different origin than its own, a mechanism known as Cross-Origin Resource Sharing (CORS) kicks in the browser. In any REST or GraphQL project, CORS is necessary to control what origins can connect to the API. To enable CORS in Django, we can install django-cors-headers in our project

2024-02-19 13:24  |  Page No.: 110 INSTALLED_APPS = [ ... 'corsheaders',

2024-02-19 13:24  |  Page No.: 111 MIDDLEWARE = [ ... 'corsheaders.middleware.CorsMiddleware',

2024-02-19 13:25  |  Page No.: 111 Relaxing CORS in Development CORS_ALLOW_ALL_ORIGINS = True

2024-02-19 13:26  |  Page No.: 111 production.py - Hardening CORS in Production CORS_ALLOWED_ORIGINS = [ "https://example.com", "http://another1.io", "http://another2.io", ]

Authentication and Authorization in the DRF 2024-02-19 13:26  |  Page No.: 112 In web applications, authentication refers to the “who you are?” part of the identification flow. Authorization instead looks at the “what can you do with your credentials” part.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment