Web Security in Django – How to Build a Secure Web Application
Web security is an important aspect of the web application development process. Especially as more data is stored, managed, and shared.
As a web developer, it's essential to prioritize security measures to protect your company’s users and data from potential threats.
In this article, I will demonstrate web security best practices by building a secure web application using Django, a powerful Python web framework. I'll cover password hashing, secure session management, authentication, authorization, and other key security considerations with accompanying code examples.
Before continuing with this article, keep in mind that this isn't intended for absolute beginners. You should have a good understanding of Python to get the most out of this guide.
If you need to brush up on your basic programming skills in Python and Django before continuing, here are a couple resources to help you out:
You will get access to the code at the end of the article.
Set Up Your File Structure
Let's say that we want to store our project on the desktop. The first thing do is to set up our file structure. Let's start by creating a root directory for our project on the desktop (
WebSec in this case).
mkdir WebSec cd WebSec
Create a Virtual Environment and Activate It
On Linux (Ubuntu):
python3 -m venv my_env Source my_env/bin/activate
And on Windows:
python -m venv my_env my_env\Scripts\activate.bat
How to Create the Django Project
First, if you don't already have it, you'll need to install Django using the following command:
python -m pip install Django
Then you can use this command to create the project:
django-admin startproject web_sec_project .
Create a Django project. Don't forget the full stop to avoid folder duplication.
And finally, use this command to create the app:
django-admin startapp web_sec_app
Create a django app
Your file structure should look like this at the end:
WebSec my_env/ web_sec_app/ __pycache__/ migrations/ templates/ admin.py apps.py forms.py models.py tests.py urls.py views.py web_sec_project/ __pycache__/ __init__.py asgi.py settings.py urls.py wsgi.py db.sqlite3 manage.py
Run Your Server
On your IDE terminal run the following command and test if your project is working. If so, you are good to go.
python manage.py runserver
Ensure that you add your app to your project:
Check that your app is added
Now let’s start building and implementing web security.
The first line of defense when implementing web security is ensuring that user passwords are properly protected. And instead of storing passwords in plaintext, it's a good idea to hash them. We'll use cryptographic hashing to safeguard sensitive user information.
Cryptographic hashing, also known as hash functions or hash algorithms, is a fundamental concept in cryptography and computer security. It involves taking an input (or "message") and transforming it into a fixed-size string of characters, which is typically a sequence of numbers and letters. This output is called the "hash value" or "hash code."
Django provides a secure password hashing mechanism by default, using the PBKDF2 algorithm with a SHA-256 hash.
Django uses a robust and secure password hashing mechanism to protect user passwords. This mechanism helps ensure that even if the database is compromised, attackers cannot easily retrieve users' plaintext passwords. Django's password hashing mechanism consists of PBKDF2.
Back to Top