Security best practices

[AntonDnepr]

☝️Basics

This follows some best practices of the following resources:

• https://github.com/shieldfy/API-Security-Checklist
• https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication
• https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html
• https://docs.djangoproject.com/en/2.2/topics/security/

💭 Implementation

If possible also change those things in our Boilerplate so we have them in place for upcoming projects.

📋 Todos

Django Security

• [ ] Make sure, Cross site request forgery (CSRF) protection works as expected and is turned on
• [x] Set SECURE_SSL_REDIRECT to True, so that requests over HTTP are redirected to HTTPS, disallow HTTP
• [x] Add django-cors-headers
• [ ] Disable CORS headers if cross-domain calls are not supported/expected. We run the API and the Frontend on the same domain so things should work fine.
• [x] Use secure cookies. If a browser connects initially via HTTP, which is the default for most browsers, it is possible for existing cookies to be leaked. For this reason, you should set your SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE settings to True. This instructs the browser to only send these cookies over HTTPS connections.
• [x] Use HSTS - HSTS is an HTTP header that informs a browser that all future connections to a particular site should always use HTTPS. Combined with redirecting requests over HTTP to HTTPS, this will ensure that connections always enjoy the added security of SSL provided one successful connection has occurred. HSTS may either be configured with SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS, and SECURE_HSTS_PRELOAD, or on the Web server.
• [x] Make sure ALLOWED_HOSTS works in the correct way, you might need USE_X_FORWARDED_HOST for the X-Forwarded-Host header on Heroku
• [x] Make the Admin accessible under ADMIN_URL, e.g. with url(settings.ADMIN_URL, admin.site.urls)
• [x] Clickjacking protection - Make sure our app can not run in a frame: https://docs.djangoproject.com/en/2.2/ref/clickjacking/#setting-x-frame-options-for-all-responses
• [ ] Make sure we have logging in place for security problems (tbd)

JWT

• [ ] Use a random complicated key (JWT Secret) to make brute forcing the token very hard.
• [ ] Don't extract the algorithm from the header. Force the algorithm in the backend (HS256 or RS256).
• [ ] Make token expiration (TTL, RTTL) as short as possible.
• [ ] Don't store sensitive data in the JWT payload, it can be decoded easily.

API

• [ ] Make sure: RESTful web services should be careful to prevent leaking credentials. Passwords, security tokens, and API keys should not appear in the URL, as this can be captured in web server logs, which makes them intrinsically valuable.
• [ ] Validate content-type on request Accept header (Content Negotiation) to allow only supported format application/json and respond with 406 Not Acceptable response if not matched.
• [ ] Make sure we only accept required HTTP Methods e.g. GET, POST, PUT, DELETE where it is needed and disallow all other ones, giving a 405 Method not allowed
• [ ] Respond with generic error messages - avoid revealing details of the failure unnecessarily.
• [ ] Make sure is_active is used for API Sign in / Password forget
• [x] Send X-Content-Type-Options: nosniff header.
• [x] Send X-Frame-Options: deny header.
• [ ] Send Content-Security-Policy: default-src 'none' header.

Frontend

• [ ] Check https://cheatsheetseries.owasp.org/cheatsheets/AJAX_Security_Cheat_Sheet.html

[jensneuhaus]

@itisallgood You can go for this one now!