--- name: django-security-advanced description: Advanced Django security — file upload validation (extension/size/storage), DRF API security (rate limiting throttles, JWT), Content Security Policy middleware, django-environ secrets management, security event logging, and production deployment checklist. --- # Django Security — Advanced This skill extends `django-security` with file uploads, API security, headers, and deployment. Load `django-security` first. ## When to Activate - Validating file uploads (size, extension, storage path) - Configuring DRF rate limiting or JWT authentication - Setting Content Security Policy headers - Configuring secrets with django-environ - Reviewing security logging setup before production deployment --- ## File Upload Security ### File Validation ```python import os from django.core.exceptions import ValidationError def validate_file_extension(value): """Validate file extension.""" ext = os.path.splitext(value.name)[1] valid_extensions = ['.jpg', '.jpeg', '.png', '.gif', '.pdf'] if not ext.lower() in valid_extensions: raise ValidationError('Unsupported file extension.') def validate_file_size(value): """Validate file size (max 5MB).""" filesize = value.size if filesize > 5 * 1024 * 1024: raise ValidationError('File too large. Max size is 5MB.') # models.py class Document(models.Model): file = models.FileField( upload_to='documents/', validators=[validate_file_extension, validate_file_size] ) ``` ### Secure File Storage ```python # settings.py MEDIA_ROOT = '/var/www/media/' MEDIA_URL = '/media/' # Use a separate domain for media in production MEDIA_DOMAIN = 'https://media.example.com' # Don't serve user uploads directly # Use whitenoise or a CDN for static files # Use a separate server or S3 for media files ``` --- ## API Security ### Rate Limiting ```python # settings.py REST_FRAMEWORK = { 'DEFAULT_THROTTLE_CLASSES': [ 'rest_framework.throttling.AnonRateThrottle', 'rest_framework.throttling.UserRateThrottle' ], 'DEFAULT_THROTTLE_RATES': { 'anon': '100/day', 'user': '1000/day', 'upload': '10/hour', } } # Custom throttle from rest_framework.throttling import UserRateThrottle class BurstRateThrottle(UserRateThrottle): scope = 'burst' rate = '60/min' class SustainedRateThrottle(UserRateThrottle): scope = 'sustained' rate = '1000/day' ``` ### Authentication for APIs ```python # settings.py REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': [ 'rest_framework.authentication.TokenAuthentication', 'rest_framework.authentication.SessionAuthentication', 'rest_framework_simplejwt.authentication.JWTAuthentication', ], 'DEFAULT_PERMISSION_CLASSES': [ 'rest_framework.permissions.IsAuthenticated', ], } # views.py from rest_framework.decorators import api_view, permission_classes from rest_framework.permissions import IsAuthenticated @api_view(['GET', 'POST']) @permission_classes([IsAuthenticated]) def protected_view(request): return Response({'message': 'You are authenticated'}) ``` --- ## Security Headers ### Content Security Policy ```python # settings.py CSP_DEFAULT_SRC = "'self'" CSP_SCRIPT_SRC = "'self' https://cdn.example.com" CSP_STYLE_SRC = "'self' 'unsafe-inline'" CSP_IMG_SRC = "'self' data: https:" CSP_CONNECT_SRC = "'self' https://api.example.com" # Middleware class CSPMiddleware: def __init__(self, get_response): self.get_response = get_response def __call__(self, request): response = self.get_response(request) response['Content-Security-Policy'] = ( f"default-src {CSP_DEFAULT_SRC}; " f"script-src {CSP_SCRIPT_SRC}; " f"style-src {CSP_STYLE_SRC}; " f"img-src {CSP_IMG_SRC}; " f"connect-src {CSP_CONNECT_SRC}" ) return response ``` --- ## Environment Variables ### Managing Secrets ```python # Use python-decouple or django-environ import environ env = environ.Env( # set casting, default value DEBUG=(bool, False) ) # reading .env file environ.Env.read_env() SECRET_KEY = env('DJANGO_SECRET_KEY') DATABASE_URL = env('DATABASE_URL') ALLOWED_HOSTS = env.list('ALLOWED_HOSTS') # .env file (never commit this) # DEBUG=False # SECRET_KEY=your-secret-key-here # DATABASE_URL=postgresql://user:password@localhost:5432/dbname # ALLOWED_HOSTS=example.com,www.example.com ``` --- ## Logging Security Events ```python # settings.py LOGGING = { 'version': 1, 'disable_existing_loggers': False, 'handlers': { 'file': { 'level': 'WARNING', 'class': 'logging.FileHandler', 'filename': '/var/log/django/security.log', }, 'console': { 'level': 'INFO', 'class': 'logging.StreamHandler', }, }, 'loggers': { 'django.security': { 'handlers': ['file', 'console'], 'level': 'WARNING', 'propagate': True, }, 'django.request': { 'handlers': ['file'], 'level': 'ERROR', 'propagate': False, }, }, } ``` --- ## Quick Security Checklist | Check | Description | |-------|-------------| | `DEBUG = False` | Never run with DEBUG in production | | HTTPS only | Force SSL, secure cookies | | Strong secrets | Use environment variables for SECRET_KEY | | Password validation | Enable all password validators | | CSRF protection | Enabled by default, don't disable | | XSS prevention | Django auto-escapes, don't use `\|safe` with user input | | SQL injection | Use ORM, never concatenate strings in queries | | File uploads | Validate file type and size | | Rate limiting | Throttle API endpoints | | Security headers | CSP, X-Frame-Options, HSTS | | Logging | Log security events | | Updates | Keep Django and dependencies updated | Security is a process, not a product. Regularly review and update your security practices. ## Reference - `django-security` — core settings, authentication, authorization, SQL injection, XSS, CSRF - `security-review` — general security review checklist (OWASP Top 10)