Hi Adam, Shoury,
About '/admin' URL to not be routed to admin: I can't remember if this
is documented in Django documentation (I can't find it right now). But
a lot of documentation on the internet says to change, in urls.py, from
path('admin/') to path('admin-something'). In my opinion the admin path
should be stored with the secrets of the application (like S3 keys,
SECRET_KEY, etc.) to make sure that it doesn't get into
GitHub/somewhere.
Another idea would be to create the ADMIN_URL='admin/' variable by
default in settings.py with a comment next to it: similar to SECRET_KEY
and also add a deployment check. So all (or more) changes to go to
production happen in settings.py instead of different places. Users
would be more aware of this from the beginning as well while editing
settings.py.
Either way: I'd be happy to write a django check to make sure that
'admin/' is not routed to admin.
rate-limiting: recently I've started using django-axes. I don't know if
any inspiration could be taken from there (
https://github.com/jazzband/django-axes ).
Cheers,
On Nov/16/2020, Adam Johnson wrote:
> Hi Shoury
>
> I agree that this is an easy thing to change to prevent discovery of the
> admin. I've done it on several projects, and I saw Will Vincent mentioned
> it in his recent article on security:
> https://learndjango.com/tutorials/django-best-practices-security
>
> Implementation-wise, perhaps we could add another system check that checks
> if /admin is routed to the admin, and recommends it be changed if so.
>
> That said, such a check would not apply in every situation. I've seen
> Django projects that are *only* the admin, or that only exist on an
> internal trusted network, and there the '/admin' URL may be of use for
> discovery.
>
> We also have other possible, stronger defenses here, such as adding
> rate-limiting to the login page: https://code.djangoproject.com/ticket/21289
> .
>
> Thanks,
>
> Adam
>
> On Tue, 10 Nov 2020 at 20:30, Arvind Nedumaran <arvindamir...@gmail.com>
> wrote:
>
> > The one I follow is to set an environment variable to see if it’s a public
> > facing instance or a private one (disconnected from the internet) and use
> > that as a condition, which when true will add some urls.
> >
> > It’s the same pattern you’ll follow when using something like Django debug
> > toolbar - where you check if debug is true and if it is, you add some more
> > urls to the root urlconf conf.
> >
> > Hope that helps.
> >
> > P.s. This is the mailing list for contributions to Django itself.
> > Questions about how to use django are better suited in the Django Users
> > mailing list or the forums.
> >
> > Onward,
> > Arvind
> >
> > On 10 Nov 2020, at 14:46, Shoury Sharma wrote:
> >
> > Hello everyone!
> > I was going though idea of admin page but sometimes it can be a security
> > concern regarding access of admin stuff by URL/admin.
> > I would therefore like to give a suggestions regarding the URL/admin to be
> > some key which only the owners would have access to so the user can never
> > have anyway to check admin by penetrating into it in any malicious way.
> > Generous regards,
> > Shoury Sharma
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Django developers (Contributions to Django itself)" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to django-developers+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/django-developers/46bf01ff-dc32-47ff-92bc-c56c260a9f29n%40googlegroups.com
> > <https://groups.google.com/d/msgid/django-developers/46bf01ff-dc32-47ff-92bc-c56c260a9f29n%40googlegroups.com?utm_medium=email&utm_source=footer>
> > .
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Django developers (Contributions to Django itself)" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to django-developers+unsubscr...@googlegroups.com.
> > To view this discussion on the web visit
> > https://groups.google.com/d/msgid/django-developers/10669A3E-5DBB-46C8-8CF3-411C7DC149CC%40gmail.com
> > <https://groups.google.com/d/msgid/django-developers/10669A3E-5DBB-46C8-8CF3-411C7DC149CC%40gmail.com?utm_medium=email&utm_source=footer>
> > .
> >
>
>
> --
> Adam
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAMyDDM3grhVVLo6cPT71Sdb8m3rwq_GkdDzqGrpRUd%2BN0xR%2BCg%40mail.gmail.com.
--
Carles Pina i Estany
https://carles.pina.cat
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/20201116161516.GA24770%40pina.cat.
