Bestand wählen
Merken

Frog and Toad Learn About Django Security

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
the the the the thing time and
with some of them that you also much for coming to Django upon
story our I'm really happy you all join me today today's story is frog and toad where data security fraud and total our friends 1 day for looking up the toad and said I have this great idea 1st all the the business the work and you totally can although it doesn't that sound great in the the spider is going to be called Bezos books will be assigned selling books office cannot formally put in book information the book informational get put on a page and people can come to our site and buy books than others but I'm sure it'll be easy I'm sure we'll make lots of money the we note tone is a Django towed by last prolog and so he decides that he's going to make as those books in Django and he goes back to tone tells this and towed says that's great but all of the other started friends that I have in the lily pond keep losing customers because of security exploits is Django secure the total things about it and he goes and does some reading and he discovers that yes within reason doing is secure and he goes to tell his friend brought about the 1st thing he tells proud about is x XXX or cross-site scripting vulnerabilities now friend asks what across a scripting vulnerability and toasters and you US for across on ability is when someone who can put information onto or into our site that we render to a page puts in things to be rendered that are supposed to harm were affect the user in a way we don't want so because we have a form rather but book information if they put it if they put in some nasty java on the users could lose their credit card information have all sorts of secrets and and that would be very bad frogs says yes that would be very bad total the general protect us from this and don't says yes there that's give the user puts in something like a script tag GenGO when we're under that HTML is going to escape the nasty characters not stripped but in that was written the and because Stella is a very clever too he got into the GenGO source code and saw exactly the function that is doing this and term was applies that it's actually a very simple function as a function that basically has been changed and Simon Wilson wrote it like a decade ago I I what the very simple escaping function does is look for characters that could be harmful and replace them with see each semantic he's the the that is very clever to and so we found out where that function lives and because he wanted a complete picture of how Django handles this rendering system the the he learned that where escape is called is in nodes when the context is used to render a template each free of nodes is created to represent the HTML in that temple if a template should have something change about it because of variables and put in 8 aptly named variable node is created that variable node has a random method like all nodes In the jingle DOM representation it has a method called a conditional escaped which checks if it should escape the strength and does it call that a state function that tell discovered earlier fund is very happy about this and asks his friend total but totally 1 of the cases where we really don't want things escaped for some reason that a deal on Eastern homage if total sure about this you think that's a bad idea for security but he does revolve well we have these powers called hallmark savant pipe in pipe save that will let us put html right into the patent have rendered the way we expect that we should be very careful about using these frog but not savings as yes of course we should be very careful use the the the next thing the that totals for about C is r or cross-site request forgery is and the way he tells it is told from when positing a protect from and total viable dinner tries to protect us from CIA sort of attack CSR stands for cross-site request forgery and it could cause site to do things against the user's wishes here's an example say site had a delete button for authors to delete the books if that that was just a simple request against our site and we did have Caesar configured correctly some other cycling to site and forgot leading the books that link France as low atoms we don't wanna do that to agrees we don't wanna do that and luckily out lots dingo tries to protect us from that by using it seriously see our CS or you middleware totally clever Jones readings in the source code and find exactly where the C. S. R. you middlewares too far today's even deeper because once to have a whole picture of how system works and comes up with some clever pseudocode to explain to frog what the CIA a system is doing if the middleware detects the request as opposed it gets the CS RF token from the cookie that's on the request against the CSI and middleware token from the quest of state and if they both match no request is accepted and everything moves on if they don't match the request is rejected and the user gets an things this is amazing he likes to site is protected because he heard about some weird thing years ago or Google tried to helpfully preload lengthened the deleting a lot of blog posts the so yes this is great total but is there a way to get around it and towed says well yes again we should be very careful about using these things but there is CSR exact which is a decorator that we can put around our views and when we decorative use this way then we skip the C. is our protection in the middleware told is a very clever to the looks of exactly where that CIA RF exempts greater lives and then plays around a bit with how he would use it for both function-based used in class-based used in this is that for class-based
use yes to import a 2nd method decorator which strikes as but he moves on the appropriately he now updates its code if the request is post manned the view is not CS represent then we do everything else no they were took frontal walking along as I said this and they were ending the day in doing some lovely lovely chocolate chip cookies that process and towed said you know these cookies remind me t 1 or something interesting from frogs that yes I would love to have something interesting you were my friend and so says there is a special thing you can do with cookies where you can say this cookie should be http only and therefore only be able to be ready by the server but the Django sees recognizer except that way is net interest income frog is near the shore why that's interesting Bernard's along because he wants to go into it is doing its work force and how it so this is interesting because it means that java script can read effect is he's is a cookie that is set in V. O. A. request that is set in the browser and from goes well that certainly is interesting he's still natural gets and Togo's and we asked some gentle people why this might be and the answer is for java script forms when you do that J. query that Ajax you need to set up with the correct CSR token we and you need to be able to read that CSR token so it can be said should only is not interesting problems and log of yes very interesting the what else do we need to be protected next totals from about sequel i and says these are really bad these are so that they will available to these we can lose everything we can lose all our financial data already user data people could buy all the books they want it will be horrible the froglets appropriately alignments as we protected from this and as well yes yes we are protected from this because gender does the right thing what is it turns out is not all Django does is not screw up the barrier between code and data when you make a query set and you make a request against a database with the or em Django keeps the sequel logic separate from the data that is being collected with the sequel logic the and passes them as 2 separate parts all the way to the database handler and the database handler does the escaping that is appropriate for that database J. notice has to not screw things up and it doesn't for those that's great but I was talking some analysts and they said that sometimes they really need to get like Ross equal in the database that is very certain about this space as OK if we actually do this Bingo has some methods that can do this is the director method of the Ross equal there's about wrong managers but we really shouldn't do this summer's were absolutely certain we want to be doing this and France as a question will be perfectly so the next thing but totals for about his clickjacking clickjacking photos from is particularly subtle what people can do is wrap our entire page in I frame on a different URL and make it look like people browsing our site 1 really the resin somebody else's site and the browsing somebody else's site with our site and I frame the money into the password into a site that person could it is not whole problems yes that's very awful how we can prevent that right and answers yes we didn't that through the x frame options middleware which is also enabled by default under the option the extra options middleware learns because a very clever to lives in this particular location and at home and that makes sure that's Ch the browsers which respected only display the site if it's the same origin of course you can get around them with the X option exempt decorator and it only works in certain browsers unfortunately but is a very good thing to do if you're worried about running an e-commerce site like say there's books where people can be trying to steal your credit card information or passwords next toe-to-toe wrong about who's had a validation hosted evaluation works with clickjacking In a way to make sure that only the host that is supposed to be rendering the site can render the site to make a mistake very early on as many gender developers do of not setting the correct uh allowed hosts it is satisfiable redeployed production and other lovely air that means that he spent 10 minutes because he couldn't figure out why gender wasn't working and the pseudocode look something like this the request in in the nowhere that middleware checks the request cheque the domain of the quest seasons and allowed host and then proceeds otherwise it raises an error finally we the passwords and told is really excited about passwords which is weird because nobody to be very excited about passwords and France in terms of Senate passes wise outside of passwords and codes as the reason so set passes because we're Django does is so cool the Jane Doe hashes passwords which is common to all the women were framework should have passwords but the way it has passes passwords in the way does password of grades is really nifty when it has is your password on log in ID checks this Django contrib hashes check password function and if you have upgraded your pasture it checks against the old hash the pattern the all hashes if it should be a log and if so it automatically rehashes it with the new 100 so you get automatic security upgrades as you're moving through the lifetime your product isn't that amazing France's yeah that's amazing that so-called and its miles the so having
gone through all that for all so all the toad discovered fraud asks to that's all agree the really quite amazing but what can we do to make this better How can we improve the security of our gender site that and toads as well the 1st thing we can do is be constantly vigilant all those things I talked about all the ways to get around the built-in security features we should be doing everything we can to limit the use of those 1 great way of doing this is having our code mutual automatically alert us when it detects things like C a of exempt or pipe and or marks safe so that me especially as CTO I am CTO right and processes the that is CTL get alerted when somebody is using these very unsafe parts of Django we additionally we should be doing regular code reviews in which would having tests to make sure that all of our security Fisher has not we should also be doing regular security audits to make sure that our products can be packed into by people who are to us but so that sound like a lot of work for you should we need to do all of that and does is yes it's very important if we don't do this and we don't do this on a regular basis we might be exposed and lose all their customer data from what suitably aligned and says yes that is very very bad but the next thing that we could be doing says tone is making sure site is served over HTTP S and luckily gender makes is easier easier all the time you consider cookies securely you can set your settings to use to only allow secure else but is very critical especially since where an e-commerce site that we only use a GPS on our site so I know it's going to be a little bit more money to get the each certificate prolog but it is very with it I promise you do you want the government snooping in upon what books are user behind from things about it things about the romances and buying recently there's no money and I was like no the we the next thing we could be doing since is having a Content Security Policy a Content security policy is another thing that the browser respect that you set on your Service and what it says is hey browser please only allow content from these domains and the brothers as well you told little account at a low condom these domains I'm going to block hard anything that you tell me the book but I will also if you tell me to just log I will let you know when you're loading content from unauthorized domains which is really great for frog and toad site because it means they can allow certain HTML be put into low images from certain sites but not allow images or links from other sites and block those at the CIA level rather than having to write complicated rules for checking the HTML in the code the so total recommends to frog we must set as the is the policy at the very least which the logging policy we know where users of trying to access assets but if we could we should be trying to set up blocking policies so we don't allow anything that we don't trust on our site we the next thing we could be doing term is setting GenGO encrypted fields and using those to store confidential information like passwords or use a credit card information or any other personal identifying information if we set this and that with a key and come up with a good a key management policy which is unfortunately tricky on its own right then we can be reasonably certain that at least at rest data with our users data will be protected which is very important you understand is important right problem fructose and and tells us with Django encrypted fields protecting our data at rest and ATBs protecting our data in transit we now have a much data attack surface it's much harder for our users didn't get we it the other thing we could do it which is for the now bundled into a lot of later versions of Django is use gender secure and said some of the settings there that have really tightened down any of the areas of Django that we haven't explicitly upward the and there's a great tool online sister called Coney chapter which will go over our entire site site and scan for common Django vulnerability and I've heard this term that we get a hundred per cent on our site and when he checked it will give us a sticker the Of course there are lots of other resources in the community 1 of which are talks from previous Django comes like making Django ridiculously secured by calcium or in his last year but also the security talk from this year which to very much encourages fraud to go on having done all of this and having tried to firmly explain to follow all the vagaries of securing a genocide and everything that Django does and digging deep in the code examples to prove to himself the gender security works the way it should todos and asks do you have any other questions and front things about it and things about and says not sure I want to start anymore but I don't mean a lot more about security the the thank you very much if you mention many useful James time as is over and a great periods in more about that come talk to me the slides are online and I am deliberately leaving time for questions this is still supposed to this uh story is an overview of everything gender Security is doing and some suggestions for making it better the reason that there is a time more content in this talk is because gender does a pretty great job out of the box trying to security and having as part of my job had do kind of audits of other web frameworks and other web security tools Django does it right but some things that I didn't mention that are also super important reason mention is because my lighting talk and jangled has a session cookie died suddenly data has a secret thing that he got my lighting talk you may have seen that that secret he does a lot for you that you may not realize under the hood like doing uh signed is secure sessions and passive receptor tokens and so if you in the list of things of ways to make Django better if you have at any time in the entire life cycle of your codebase pushed your secret key to 8 rebo and you're still using the key please please please change in output an environment variable and everything about again I we have probably more time than I was intending for questions sorry about that but you know send them plans to wrestle the media at rest so at the that anatomy that outcome and I will open up for questions this time the at a time of what
recommendations you have around packages were things that help with jingle for things like denial of service and the more sort of behavioral analysis of about things that aren't strictly strictly dangerous but can be it's yet the question and so I am going to answer this question from 2 approaches 1 is the approach of a lot of users are just heating my site in some way and 1 is a lot of similar legitimate users are just kind of overloading my side right on I'm going to argue that the halo of users are getting my site is firmly in the realm of something that Django should not be handling that is the web service job so either you figure out a way to from or boxes inflammatory use varnish to do a good caching if it if you have a lot of content changing on your pages of but if you were trying to do the DOS migrates mitigation at a general level FIL is everybody lost and but if you are having a lot of legitimate actions come to your site where like people are you think somebody who has a real user account might be trying to like heavily we spend your site were try to break its repetition I heavily recommended rate-limiting both on like web flows and on especially on API flows and a lot of API packages will build in some form of rate-limiting right now but it's also not that difficult at there Member of rest framework has really but then becomes nodding so yeah you can be rate limiting at the API level and that as your question yes you but you respect so at when using encrypted fields on what and you have any tips and that it might be a talking to me give me tips were key management policies key matters really hard hats turtle down I the my advice is twofold 1 make sure that it's something that your entire team is aware of as in like she management is hard but often the reason the management is hard is because there's like 1 floor that turns out to be human fall where there was this back that nobody knew about to get to the place restoring the keys but that the human side on the technical side of I have never seen a strong argument against the wall keys are an especially because there's not really anything out on the market publicly available that's better I know some companies that have rolled their own solutions on top of keys are to make that better but dig deep indigo he's are N. should see that work for you and if you don't have dedicated secured people on your team he management is the kind of thing where it's probably worth hiring executing consultant because you really wanna get it right and you really wanna get it right the 1st time I but you probably knew that is why yes in question so might feel the eyes you could our it solves most of the problem that 0 yeah hello I have very specific question about the judge explained so we have jungle projects behind some from denser over EPS and I would like to use all these are of accelerated related gender settings still security but behind from tensor have for a reverse proxy server which is or should it be and if I will enable all this is GPS only features I will break reverse proxy so what to do that's a great question I would say that you at I think in your heart of hearts you might already know the answer and the answer is but wherever look if you're whether your age GPS is terminating is the last place that your server is going to see in the US right and so if you have an ReProCS in the middle there's really innovation appear can you make additional yes the it the it was it so you right area OK so but unfortunately it's not so easy to use GPS for reverse proxy because we generate from that of the main for its which includes version and Hessians of that so it's come that's what it looks like that guy I might have a solution I think I'm mean encourage you to talk to him afterward it's not an area that I am an expert so on but what might it probably is possible as also there's probably a hole in it somewhere if you try to configure that way but they start America because banks the but many of the right so so you mention the use of jangle encrypted fields analysis wondering if you had any experience or opinion about doing in the ah field-level encryption in the application layer versus the database layer using something like my sequel has AES encryption arm pose grows as a P. D. promoting on aside from the concerned about portability you so you have an experience solar senone on and I don't have any experience doing things that way and my guess is if you can my general philosophy would be that if you can get it working locally and you can specifically right tests that prove that it works locally and you probably find and I'm willing to bet that probably someone in this room who may have done that uh but I don't have any direct experience with it I was like that might is that which is going for it OK so so it's very nice that I can encrypt fields in the database and I should do that probably in more cases than I do even e-mails RPII some low low level right of anyway I am but I'm also supposed to in crypt database passwords I'm on the file system i wanna put them in settings but I also don't wanna use environment variables because then it's clear text somewhere this is a standard problem I I wish I could use keys on but some for government reasons are the development environment is the Windows desktop and pi crypto was hard enough I don't wanna compile correct keys so is there a way that I can use other gender secret key that will be um an environment variable anyway but to decreed other things that are in settings does your error in of this your secret key need to be consistent area so rely on sessions in normal authentication methods that's that's my secret key you need to be consistent from server to server over time from server to server yes that's and said Case's less secure than using model cars slam their really show and I am the assistive really on most of the things secret key doesn't Django are things that are incredibly helpful in incredibly necessary if you're buying into the standard with the off work if you are using a completely different authentication method and then you're not as rely on a syrupy and you just have the see the key to like you know call out to a random every time you load up a server right it does consistent and you don't given set environment variable it is like there to run them over time but you need consistency you can use Hybrid on you can use keys are can use bunker began about always blame the recompile right right that's again but he's a is the 1 that I recommend so man that is a great question and you don't want it any sort of source control because you don't want in plain text at all the I mean what
what I guess what I'm asking is what in the image of gender which I don't know as well as you do you know what I call to increase decrepit things using the secret key or using anarchy all I Suter said so so in the end of Django the secret key is used basically into functions it's used to create salted h max for things like the password reset token that's not necessarily an encryption that's like creating a hash and it is used for the secure cookie side OK so you're not using non communities so it's not there yet then you might not find it is a key that should be secure so I could use it with my crypto and that's my way forward probably so possibly but I think we should try and compile Pisa maybe about these opportunities on the workers yeah market Spaniard fractals connects a question area that I your talk of a lot of the things we should do to protect against known for its job what kind of defensive programming things should we be doing to protect us against the unknown for the ones that MIT appear at some point but we would rather be safe when they come out rather fond Marathi hurry to excel but that's a great question on the cover the might of it the don't know the seriously you if you have a lot of company to have a a and I like a group of coders you care about security making sure that they are trying to review as much code as possible and you you this this is these very scary you can't predict the threats that are going to come which you can do is make sure that you were following good security practices like sanitizing data when it comes in thinking about how it renders when it goes out and making sure that that is probably still going to be saying no matter what the exploiters is they were reaching a point where the exploits are In were so were fighting right what's the browsers refine some exploits in the servers there's a whole category of like certificate exploits that is kind outside the scope of what Django can do Django assumes that by the time a request gets to it that a lot of the SSL and originations RT happened and if you ask what we do specifically we have a group of security reviewers we have a group of PCI reviewers that look at different things because PCI comes in its own bundle tricks of and we also make sure that we are at the end our chat which happens to be slack subscribing to a lot of security feeds so as soon as the CDs get announced we know and we can get on top of that a lot of times we find that because we've been doing security you thinking about what's going on what's coming out that we don't need to do much and and we also don't Django has been looked at by so many eyes and reviewed so many times that oftentimes the new security bugs that are coming out are in so my obscure quite agenda that we were using already so you know the answer to your question is constant influence but be try be aware of your attack surface and as I really recommend people going and watching consumer in his talk from last year because he describes think about your taxes think about if somebody wanted to attack me who is the most likely person to attack and what is their motivation where they going to be coming from a at event rate all our attack service manifold but do the obvious case people might want free tickets right so let's make sure that the everything around orders and everything on registration is really tight so that people can dislike willy-nilly get a free ticket but but there are some places where we may not need to focus as much but Robert answer side I kind of and you're anti-Western was used is greater than the really I think you know expanding on all the other things that go with security rather than strictly protect his this problem because people to think about security inside what is the 5 things I have to protect against now I'm done my whole other side of the list of perspective which is there any number 4 up there think about this this and systemic why rather than just 1 2 3 4 5 and the risk of what you said just as a there are 2 ways think but security and what is the descriptive nomenclature where you try to like name every possible attack at their and income I would mitigation sensory name and then and there's like a holistic strategy words like well we know these are common attack patterns we know where the attack vectors could be let's focus on like building skills that are at for the specific patterns I'm not a fan of the nomenclature specific model looking at security I don't care what you call this exploit I want general practices that will help me in the future I think 1 final question in the more about they set have are there any truth all that to check that my website that that I don't use like podsafe safe and templates and you absolutely say that again other to it's all that all that to report to try to prove almost 1 side in terms of making sure that I don't use safe in templates Rashid not so see is as soon as I've except that this matter should mold that is a great question our model of a leading question may be returned is adjusted to all others 1 relaxes of committed call group XSS uh that is going to try it you feel Euronest I tried to do a bunch of brood XSS attacks against a site and what we do that um right is we do have orders the try to some of that for us we don't have a ton of automated tools to try to check for an XSS because our side is very large and very old and and so what we do do is any time anybody is using anything that looks like that in like matches the characters save or pipe and we make sure a secure your viewers right they're looking at making sure that like this is invulnerable and emphasis on exempt right like if Cassius in the name of the review of security there is going to have eyes on it and is going to have to approve it before it goes out and I'm sure there are tools out there feel free to tweak them at that hashtag agonal retweet them and people can find them and but I keep harping on the same thing and constant vigilance like try to be as aware as possible of what your convinced that I read but if that people will have further questions for you it's not like at meaning and use a good suggestion radially around during Spencer reopened folks just an in the hall and talking about the subject you come talk to me I will be here spreads I will be spreading with the B were workfolk I come get calling them but me about security and you have always have a lot of more security stuff on the front of uh I'll is if you do will have feedback you can like the union that directly or you the guy feedback on this was a bit of an experiment being more story-driven with the talk so I'm curious people like that are not you know going out of your like shouting at me but doing the view that we need semi e-mail but only moment there being with a medium as a medium if battle what you and and that's it thank you also much I think I have all what if you would like more the James family experiments Nicole James around the corner right this is giving a talk on beginner workshops so you just can't get enough of the Davies family because the words of a top next Ch if and
I I see this
Bit
Web Site
Total <Mathematik>
Web log
Selbstrepräsentation
Mathematisierung
Definite-Clause-Grammar
Applet
Ordinalzahl
Information
Term
Kontextbezogenes System
Computeranimation
Homepage
Homepage
Knotenmenge
Bildschirmmaske
Zustandsgröße
Cross-site scripting
Maskierung <Informatik>
Computersicherheit
Skript <Programm>
Skript <Programm>
Leistung <Physik>
Autorisierung
Lineares Funktional
Sichtenkonzept
Spider <Programm>
Template
Computersicherheit
Cookie <Internet>
Web Site
Token-Ring
Physikalisches System
Quellcode
Kontextbezogenes System
Exploit
Sichtenkonzept
Quick-Sort
Office-Paket
Chipkarte
Softwareschwachstelle
Dreiecksfreier Graph
Cookie <Internet>
Information
Aggregatzustand
Lesen <Datenverarbeitung>
Domain <Netzwerk>
Prozess <Physik>
Browser
Applet
Fortsetzung <Mathematik>
Login
Computeranimation
Gradient
Homepage
Datenmanagement
Mustersprache
Rechenschieber
Internet Explorer
Skript <Programm>
Default
Figurierte Zahl
Feuchteleitung
Lineares Funktional
Sichtenkonzept
Computersicherheit
Datenhaltung
Abfrage
Biprodukt
Konfiguration <Informatik>
Injektivität
Forcing
Menge
Rechter Winkel
Geschlecht <Mathematik>
Server
Information
URL
Message-Passing
Fehlermeldung
Web Site
Total <Mathematik>
Gewicht <Mathematik>
Rahmenproblem
Zustandsmaschine
Term
Mathematische Logik
Framework <Informatik>
Code
Domain-Name
Bildschirmmaske
Digitale Photographie
Hash-Algorithmus
Passwort
Passwort
Softwareentwickler
Leistungsbewertung
Trennungsaxiom
Soundverarbeitung
Fehlermeldung
Cookie <Internet>
Validität
Token-Ring
Chipkarte
Middleware
Differenzkern
Mereologie
Cookie <Internet>
Codierung
Benutzerführung
Browser
Compiler
Definite-Clause-Grammar
Computeranimation
Reverse Engineering
Computersicherheit
Dateiverwaltung
Metropolitan area network
Softwaretest
Computersicherheit
Biprodukt
Bitrate
Dienst <Informatik>
Angewandte Physik
Menge
Rechter Winkel
Server
Programmierumgebung
Subtraktion
Hyperbelverfahren
Digital Rights Management
Mathematisierung
Content <Internet>
Informationsmodellierung
Variable
Domain-Name
Bildschirmmaske
Flächentheorie
Reelle Zahl
Vererbungshierarchie
Inhalt <Mathematik>
Ganze Funktion
Analysis
Videospiel
Schlussregel
Binder <Informatik>
Datenfluss
Chipkarte
Hesse-Matrix
Körper <Physik>
Softwareschwachstelle
Caching
Turtle <Informatik>
Cookie <Internet>
Authentifikation
Bit
Versionsverwaltung
Familie <Mathematik>
Kartesische Koordinaten
Fortsetzung <Mathematik>
Übergang
Datenmanagement
Web Services
Regulärer Graph
Prozess <Informatik>
Kryptologie
Bildschirmfenster
Funktion <Mathematik>
DoS-Attacke
Parametersystem
Datenhaltung
Ähnlichkeitsgeometrie
Frequenz
Rechenschieber
Arithmetisches Mittel
Datenfeld
Chiffrierung
Geschlecht <Mathematik>
Projektive Ebene
Information
Schlüsselverwaltung
Portscanner
Standardabweichung
Proxy Server
Web Site
Quader
Gruppenoperation
EDV-Beratung
Term
Code
Framework <Informatik>
Benutzerbeteiligung
Tensor
Verkehrsinformation
Passwort
Speicher <Informatik>
Mobiles Endgerät
Bildgebendes Verfahren
Widerspruchsfreiheit
Autorisierung
NP-hartes Problem
Expertensystem
Digitales Zertifikat
Relativitätstheorie
Mailing-Liste
Token-Ring
Quick-Sort
Flächeninhalt
Dreiecksfreier Graph
Basisvektor
Hypermedia
Mereologie
Normalvektor
Bit
Punkt
Momentenproblem
Extrempunkt
Browser
Familie <Mathematik>
Gruppenkeim
Hinterlegungsverfahren <Kryptologie>
Computeranimation
Eins
Cross-site scripting
Kryptologie
Prozess <Informatik>
Mustersprache
E-Mail
Umwandlungsenthalpie
Lineares Funktional
Sichtenkonzept
Kategorie <Mathematik>
Computersicherheit
Template
Gebäude <Mathematik>
Güte der Anpassung
Systemaufruf
Kontextbezogenes System
Bitrate
Exploit
Ereignishorizont
Konstante
Dienst <Informatik>
Chiffrierung
Twitter <Softwareplattform>
Geschlecht <Mathematik>
Rechter Winkel
Registrierung <Bildverarbeitung>
Strategisches Spiel
Server
Ordnung <Mathematik>
Schlüsselverwaltung
Faserbündel
Rückkopplung
Web Site
Subtraktion
Zahlenbereich
Term
Viewer
Überlagerung <Mathematik>
Informationsmodellierung
Fächer <Mathematik>
Flächentheorie
Perspektive
Hash-Algorithmus
Passwort
Optimierung
Bildgebendes Verfahren
Topologische Mannigfaltigkeit
Fraktalgeometrie
Digitales Zertifikat
Konvexe Hülle
Mailing-Liste
Token-Ring
Vektorraum
Fokalpunkt
Programmfehler
Flächeninhalt
Cookie <Internet>
Wort <Informatik>
COM
Computeranimation

Metadaten

Formale Metadaten

Titel Frog and Toad Learn About Django Security
Serientitel DjangoCon US 2016
Teil 25
Anzahl der Teile 52
Autor James, Philip
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/32695
Herausgeber DjangoCon US
Erscheinungsjahr 2016
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Django Security Talk Notes Philip James, how long I’ve worked with Python and Django, background at EB Introduction to the story, and the characters Safe-ish: Talk about Django’s Security Model and how it tries to provide sane defaults for developers Run-through of the parts of the django security model

Ähnliche Filme

Loading...
Feedback