It’s been a year since I published How to Score A+ for Security Headers on Your Django Website, the blog post for my DjangoCon Europe 2019 talk. It’s seen some updates as both Django and web security have evolved, for example Feature-Policy is now required for an A+, and Django 3.0 includes built-in support for Referrer-Policy.
I maintain several open source Python projects, each in its own GitHub repository. I like to keep them all up to date according to a kind of template - similarity increases maintainability.
Imagine you have some Django views using the same two decorators:
I previously covered using Django’s CheckConstraint class to validate fields with choices and percentage fields that total 100%. Here’s another use case.
Python’s decimal module has concept of a “context”. This defines the default precision of new Decimals, how rounding works, and lots of other behaviour. Maths gets complicated!
I’ve mentioned CloudFront’s speed, or lack thereof, several times in my past posts.
Django’s default settings file has always included a BASE_DIR pseudo-setting. I call it a “pseudo-setting” since it’s not read by Django itself. But it’s useful for configuring path-based settings, it is mentioned in the documentation, and some third party packages use it.
I previously covered using Django’s CheckConstraint class to ensure a field with choices is constrained to only valid values. Here’s another use case, based on an application I worked on. It uses a check constraint to ensure a set of fields, representing percentages, always sum up to 100.
If you have some slow tests in your suite, you might want to run them only on CI. To do this, you can detect in your test runner if you’re running on a CI system.
At yesterday’s DJUGL meetup I heard a talk from Esau Rodríguez about a buggy new system deployment he survived. His team were deploying a new version of a system that changed the way it connected to its MySQL database, while simultaneously moving session keys from integers to UUIDs. When they discovered the database connection change was flaky, they rolled back to the previous version. This quickly lead to a user reporting being able to see another’s data!
If you’re hosting a website on a top level domain, you should set up both the bare domain (example.com) and the “www” subdomain (www.example.com). People expect to be able to type either version and see your site - no matter which version you advertise.
I’ve just moved all my open source repositories from using plain pip to python -m pip, in test scripts and documentation.
When you run Django’s manage.py makemigrations, it will try to generate a name for the migration based upon its contents. For example, if you are adding a single field, it will call the migration 0002_mymodel_myfield.py. However when your migration contains more than one step, it instead uses a simple ‘auto’ name with the current date + time, e.g. 0002_auto_20200113_1837.py. You can provide the -n/--name argument to makemigrations, but developers often forget this.
Django templates are often used to pass data to JavaScript code. Unfortunately, if implemented incorrectly, this opens up the possibility of HTML injection, and thus XSS (Cross-Site Scripting) attacks.
I previously blogged about how I configured my CloudFront hosted website to score A+ on securityheaders.com. I worked around CloudFront’s lack of an “add headers” feature by adding a Lambda@Edge function in JavaScript.
robots.txt is a standard file to communicate to “robot” crawlers, such as Google’s Googlebot, which pages they should not crawl. You serve it on your site at the root URL /robots.txt, for example https://example.com/robots.txt.
Here’s a little Python problem I encountered recently.
Django provides MySQL and MariaDB support out of the box. It supports the mysqlclient library as its DB API driver to connect.
Here are some issues I’ve seen crop up several times in Django projects using Celery. They probably apply with other task queues, I simply haven’t used them so much.
I previously covered how I scored A+ for security headers on my site, which uses AWS CloudFront. I didn’t touch on scoring A+ for your TLS configuration though.
git diffOnce in a while, I have to make a change to many or all of my blog posts. For example, implementing opengraph meta tags.
One of the headline features of Django 3.0 is its Enumerations for model field choices. They’re a nicer way of defining and constraining model Field.choices.
This post is a PSA on the somewhat unintuitive way Field.choices works in Django.
SyntaxWarning: "is" with a literalTake this reasonable-looking code:
On Wednesday evening last week I held a quiz at the January London Django Meetup Group. This was the fourth quiz, which has become an annual Christmas tradition at the meetup. Unfortunately it was a month late this year due to venue changes, so I’ve titled this post “Django Quiz 4”.