You must secure your endpoints with authentication mechanism and on top of that you might consider using django-rest-knox
//Jona On Wed, Aug 21, 2019 at 5:57 PM Yoo <[email protected]> wrote: > Hi, > Thanks for the prompt response (and sorry for such a late one). I suppose > I'm simply asking about JSON in general and DRF validation. Using the > general serializer (serializer.Serializers), DRF validates the JSON itself, > right? So, if some malicious person sent Python code via the JSON using > some kind of escape char, then DRF responds with an error, right? > > Otherwise, is there some Django util that can deal with this? Because the > API is just an endpoint. All someone has to do (at least in this project) > is send a JWT Access token alongside some throttling. Can you point out > some Headers that I can use? Is it possible to use some kind of app (i.e. > android + iOS) signature? > > Thank you! > > On Tuesday, August 20, 2019 at 11:46:24 PM UTC-4, Aditya Singh wrote: >> >> Hi, >> Hope you are good. >> Django ships with top of the line CSRF protection first of all, Secondly, >> you may specify domain specific headers and strictly restrict the expected >> type of data, cookies timeout, response data type from the server to the >> client. Also, you may leverage several robust django compatible packages >> which relate to security and prevent any requests to the API whiah are >> unauthorized. From unauthorized, I feel obliged to mention that you must >> make sure that all the endpoints in your api are well defined and that all >> the methods being executed on those corresponding endpoints need strong >> authentication. >> Hope, I could be of some help, >> Kind regards, >> Aditya >> >> On Wed, Aug 21, 2019, 9:11 AM Yoo <[email protected]> wrote: >> >>> Hi, I'm gonna be using Django Rest Framework for API with a Postgres >>> stack and not developing with website. Coding apps in Swift and Androidx >>> Java. Users can POST rich text, or text that uses HTML, to the server, and >>> then other users can GET that HTML and view it in (ui)TextView. >>> >>> Based on previous experience, it seemed like Android's TextView wouldn't >>> have any trouble with XSS or the like. Not sure about Swift, so can someone >>> tell me if I should worry on the iOS side? >>> >>> Last thing. Because this is just an API, how does DRF protect my server >>> against some malicious JSON POST request? A request that isn't sent from >>> the designated app or is hand-crafted. If DRF doesn't somehow serialize >>> correctly, then there would be some server issues, right? Gah worrying. >>> >>> TL;DR. Programming mobile with DRF. Should I worry about Rich Text (HTML >>> Editing) on client and/or server side? >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/django-users/6c6b92e2-7e49-42f8-abe5-d05b1d0f4619%40googlegroups.com >>> <https://groups.google.com/d/msgid/django-users/6c6b92e2-7e49-42f8-abe5-d05b1d0f4619%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-users/a6ea2741-061c-4392-af73-6e9ff4dc5a16%40googlegroups.com > <https://groups.google.com/d/msgid/django-users/a6ea2741-061c-4392-af73-6e9ff4dc5a16%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAD9jLPK2YyjuLn%3D6HP3fM2aLU9PbBeMg_3CWHYiKuafMObYu%2BA%40mail.gmail.com.
