Redirigir a una conexión segura https en Apache. Puede que, como administradores de un sistema, nos interese que todos los accesos a una determinada página web, se realicen siempre bajo protocolo seguro HTTPS.
Veremos dos posibilidades: Redirección permanente o ReescrituraMétodo de redirección permanente El procedimiento será definir un Virtualhost para HTTPS y otro para HTTP. Desde el Virtualhost HTTP fijaremos una redirección permanente hacia HTTPS. # /etc/apache2/sites-enabled/000-default <VirtualHost *:80> ServerName www.ejemplo.com ServerAdmin webmaster@ejemplo.com Redirect permanent / </VirtualHost> Método de reescritura Para que este método funcione, deberemos asegurarnos de tener instalado el módulo mod_rewrite.
. # a2enmod rewriteEnabling module rewrite. Una vez instalado el módulo mod_rewrite ya estamos en disposición de preparar la reescritura de todo el sitio web añadiendo el siguiente código dentro del correspondiente VirtualHost de HTTP o, alternativamente, en un fichero .htaccess en la raíz del sitio web. O, alternativamente. Security in Django. This document is an overview of Django’s security features.
It includes advice on securing a Django-powered site. Cross site scripting (XSS) protection XSS attacks allow a user to inject client side scripts into the browsers of other users. This is usually achieved by storing the malicious scripts in the database where it will be retrieved and displayed to other users, or by getting users to click a link which will cause the attacker’s JavaScript to be executed by the user’s browser. However, XSS attacks can originate from any untrusted source of data, such as cookies or Web services, whenever the data is not sufficiently sanitized before including in a page. Using Django templates protects you against the majority of XSS attacks. Django templates escape specific characters which are particularly dangerous to HTML. <style class={{ var }}>... You should also be very careful when storing HTML in the database, especially when that HTML is retrieved and displayed. Markup library Having trouble?
Forzar la administración Django a usar SSL - Menudo Problema. Lo primero es activar mod_rewrite.
Para ello: $ sudo a2enmodYour choices are: actions alias asis auth_basic auth_digest authn_alias authn_anon authn_dbd authn_dbm authn_default authn_file authnz_ldap authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta cgi cgid charset_lite dav dav_fs dav_lock dbd deflate dir disk_cache dump_io env expires ext_filter file_cache filter headers ident imagemap include info ldap log_forensic mem_cache mime mime_magic negotiation perl proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi python reqtimeout rewrite setenvif speling ssl status substitute suexec unique_id userdir usertrack version vhost_aliasWhich module(s) do you want to enable (wildcards ok)?
RewriteEnabling module rewrite.Run '/etc/init.d/apache2 restart' to activate new configuration! Una vez tenemos los Virtual Hosts preparados para una conexión normal y una conexión segura, debemos añadir lo siguiente: Securing Django with SSL. Posted: February 18th, 2009 | Author: Scott Barnham | Filed under: Django | 2 Comments » When we built the centralized authentication system for Red Robot Studios we wanted all authentication and account resources to be available solely over https.
This article covers some tips and tricks we discovered while building the app, and how you can use Django to get fine-grained control as to which resources are available securely. Why bother with security? We all know that data sent over http is cleartext and can potentially be read on any network between the client and server. But the risk feels pretty minimal and many sites don’t bother using SSL to encrypt sensitive traffic. The chances of your http requests being snooped upon by an ISP, intermediate networks or your hosting company seem minimal. The data on your website may not be sensitive, but if you use Django’s admin or authentication frameworks, two important bits of information are passed as cleartext. Encrypting login sessions.