Web Security in Django – How to Build a Secure Web Application

Web security is an important aspect of the web application development process. Especially as more data is stored, managed, and shared.

As a web developer, it's essential to prioritize security measures to protect your company’s users and data from potential threats.

In this article, I will demonstrate web security best practices by building a secure web application using Django, a powerful Python web framework. I'll cover password hashing, secure session management, authentication, authorization, and other key security considerations with accompanying code examples.

Before continuing with this article, keep in mind that this isn't intended for absolute beginners. You should have a good understanding of Python to get the most out of this guide.

If you need to brush up on your basic programming skills in Python and Django before continuing, here are a couple resources to help you out:

You will get access to the code at the end of the article.

Set Up Your File Structure

Let's say that we want to store our project on the desktop. The first thing do is to set up our file structure. Let's start by creating a root directory for our project on the desktop (WebSec in this case).

mkdir WebSec
cd WebSec

Create a Virtual Environment and Activate It

On Linux (Ubuntu):

python3 -m venv my_env

Source my_env/bin/activate

And on Windows:

python -m venv my_env

my_env\Scripts\activate.bat

How to Create the Django Project

First, if you don't already have it, you'll need to install Django using the following command:

python -m pip install Django

Then you can use this command to create the project:

django-admin startproject web_sec_project .

Create a Django project. Don't forget the full stop to avoid folder duplication.

And finally, use this command to create the app:

django-admin startapp web_sec_app

Create a django app

Your file structure should look like this at the end:

WebSec
    my_env/
    web_sec_app/
        __pycache__/
        migrations/
        templates/
        admin.py
        apps.py
        forms.py
        models.py
        tests.py
        urls.py
        views.py
    web_sec_project/
        __pycache__/
        __init__.py
        asgi.py
        settings.py
        urls.py
        wsgi.py
    db.sqlite3
    manage.py

Run Your Server

On your IDE terminal run the following command and test if your project is working. If so, you are good to go.

python manage.py runserver

Ensure that you add your app to your project:

5KMFSFkkzM4T-YPujI0_9tm6FdnoTQRfJ8FbfVAZfChJfnkLRjvOSnyfq3PzIiLLWr-h-r5_mw9OOk55yJtXJ4OOjhu0wIwKiTiX5T_-7TN-oHt4elagFQ_st3mAxFHU-bWlR3JCcpcdn6b1BGgVSg

Check that your app is added

Now let’s start building and implementing web security.

Password Hashing

The first line of defense when implementing web security is ensuring that user passwords are properly protected. And instead of storing passwords in plaintext, it's a good idea to hash them. We'll use cryptographic hashing to safeguard sensitive user information.

Cryptographic hashing, also known as hash functions or hash algorithms, is a fundamental concept in cryptography and computer security. It involves taking an input (or "message") and transforming it into a fixed-size string of characters, which is typically a sequence of numbers and letters. This output is called the "hash value" or "hash code."

Django provides a secure password hashing mechanism by default, using the PBKDF2 algorithm with a SHA-256 hash.

Django uses a robust and secure password hashing mechanism to protect user passwords. This mechanism helps ensure that even if the database is compromised, attackers cannot easily retrieve users' plaintext passwords. Django's password hashing mechanism consists of PBKDF2.

 

Back to Top