How secure is Django

A client of mine asked me this question. I am not even sure what to reply ? I am no security开发者_StackOverflow expert, just a web dev. What can must I say ?

By default, Django prevents most common security mistakes:

• XSS (cross-site scripting) protection — Django template system by default escapes variables, unless they are explicitly marked as safe.
• CSRF (cross site request forgery) protection — easy to turn on globally, guarantees that forms (POST requests) are sent from your own site.
• SQL injection protection — Django uses built-in ORM, thus there is no risk of SQL injection (raw queries are possible, but by no means something that a beginner would need to use).

Additional security features:

• Clickjacking protection — Django can detect when the content is requested from unauthorized iframe
• Safe password hash — Django by default uses PBKDF2, another option is bcrypt. Both are resilient to usage of rainbow tables (thanks to salt), both have significant compute time to prevent easy bruteforce.

It's also important to note, that Django is implemented in Python, which has excellent security track record. Thus the underlying language is not a security risk.

More on Django security: https://docs.djangoproject.com/en/stable/topics/security/

Django is as secure as any web framework can be. It provides tools and doc to prevent common mistakes causing security problems (csrf, xss, etc.)

However, a tool in itself cannot be "secure". The whole platform security depends on the proper use of the tools you choose, and thus is more a matter of developer skills.

As a web framework it hat some functions that will help you in making your site secure. You can't directly say of a web-framework it is secure.

In the end its all about how your client designs his project. Django is used in big projects and therefore it has proven to be used in a production environment. DISQUS is one of the best examples for that.#

If your client is willing to put some effort into securing his site he will be fine with django or any other framework but its not the framework that makes a site secure its how a developer uses the framework.

Django is one of the most secure web frameworks. Django provides ways to protect against some common web application vulnerabilities out of the box such as -

• SQL Injection
• CRLF Injection
• Timing Attack
• Clickjacking Attack
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Encrypted connection

I had a similar situation, then I went through official documentation and multiple resources. I gathered and compiled all details here-

https://www.gauravvjn.com/security-in-the-django-application/

Security in Django - By default, Django prevents most common security mistakes: Cross site scripting (XSS) protection Cross site request forgery (CSRF) protection SQL injection protection Clickjacking protection SSL/HTTPS Host header validation