That was my thinking as well. This is a basic topic when it comes to web security. We can point to the OWASP 10 but I don’t think it’s reasonable cram a complete course about web security into Django’s documentation, let alone maintain it. Django’s docs will never contain everything one may need to know to write any project that may take advantage of Django.
-- Aymeric. > On 06 Apr 2016, at 03:35, Josh Smeaton <josh.smea...@gmail.com> wrote: > > I like the idea of addressing the OWASP top 10. Further, I think the advice > of obscuring keys is wrong. The problem is actually addressed in the OWASP > Top 10[0] > > 4 Insecure Direct Object References: > A direct object reference occurs when a developer exposes a reference to an > internal implementation object, such as a file, directory, or database key. > Without an access control check or other protection, attackers can manipulate > these references to access unauthorized data. > > The proper solution is *Access Controls* like the Permissions system > provides. If you're going to rely on obscurity (one time file downloads for > example), then you want to do so with a UUID or some kind of cryptohash (I > haven't verified the particulars, don't take my this comment as security > advice). That's not appropriate for something like a comments system. > > [0] https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com > <mailto:django-developers+unsubscr...@googlegroups.com>. > To post to this group, send email to django-developers@googlegroups.com > <mailto:django-developers@googlegroups.com>. > Visit this group at https://groups.google.com/group/django-developers > <https://groups.google.com/group/django-developers>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/0ca48548-6c6f-4d80-b166-ff49487ff3cb%40googlegroups.com > > <https://groups.google.com/d/msgid/django-developers/0ca48548-6c6f-4d80-b166-ff49487ff3cb%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/83D4152D-7356-4DC1-A9B3-00BFA2C96F53%40polytechnique.org. For more options, visit https://groups.google.com/d/optout.
