django-debreach Documentation

Similar documents
django-secure Documentation

bottle-rest Release 0.5.0

Django-Select2 Documentation. Nirupam Biswas

django-subdomains Documentation

django-dajaxice Documentation

fragapy Documentation

django-embed-video Documentation

django-allauth-2fa Documentation

django-sendgrid-events Documentation

django-cas Documentation

django-embed-video Documentation

django-responsive2 Documentation

django-openid Documentation

django-slim Documentation

CID Documentation. Release Francis Reyes

Django Debug Toolbar Documentation

django-ratelimit-backend Documentation

django-intercom Documentation

django-embed-video Documentation

django-sticky-uploads Documentation

django-conduit Documentation

Gargoyle Documentation

Django-CSP Documentation

Flask-Cors Documentation

Django. Jinja2. Aymeric Augustin DjangoCong 2016

wagtail-robots Documentation

django-antispam Documentation

silk Documentation Release 0.3 Michael Ford

django-osm-field Release 0.3.1

Django IPRestrict Documentation

Bricks Documentation. Release 1.0. Germano Guerrini

django simple pagination Documentation

django-contact-form Documentation

django-geoip Documentation

django-permission Documentation

django-avatar Documentation

Templated-docs Documentation

django-avatar Documentation

django-modern-rpc Documentation

Django Extra Views Documentation

django-messages Documentation

DJOAuth2 Documentation

django-bootstrap3 Documentation

django-model-report Documentation

Django OAuth Toolkit Documentation

django-oauth2-provider Documentation

mozilla-django-oidc Documentation

django-auditlog Documentation

django-audit-log Documentation

wagtailtrans Documentation

Django MFA Documentation

Django Phantom Theme Documentation

SagePay payment gateway package for django-oscar Documentation

JOE WIPING OUT CSRF

Django Concurrency Documentation

The Django Web Framework Part VI

django-notifier Documentation

django-facetools Documentation

Django Extras Documentation

JOE WIPING OUT CSRF

django-stored-messages Documentation

Django File Picker Documentation

TailorDev Contact Documentation

CSV Importer Documentation

django-telegram-bot Documentation

django-templation Documentation

doubles Documentation

django-cron Documentation

Django EL(Endless) Pagination Documentation

cmsplugin-blog Release post 0 Øyvind Saltvik

Django Synctool Documentation

JAVASCRIPT JQUERY AJAX FILE UPLOAD STACK OVERFLOW

pytest-benchmark Release 2.5.0

Pipeline Documentation

Django AdminLTE 2 Documentation

django-ad-code Documentation

django-audiofield Documentation

CIS192 Python Programming

Ensure Documentation. Release Andrey Kislyuk

django-reinhardt Documentation

Django Map Widgets Documentation

Flask-Genshi Documentation

callgraph Documentation

GitHub-Flask Documentation

Djam Documentation. Release Participatory Culture Foundation

django-cms-search Documentation

Building a Django Twilio Programmable Chat Application

django-dynamic-db-router Documentation

Playing tasks with Django & Celery

django-mama-cas Documentation

django-idioticon Documentation

Django Localized Recurrence Documentation

Quick housekeeping Last Two Homeworks Extra Credit for demoing project prototypes Reminder about Project Deadlines/specifics Class on April 12th Resul

django-xross Documentation

Python StatsD Documentation

django-getpaid Documentation

Graphene Documentation

django-amp-tools Documentation Release latest

Django-frontend-notification Documentation

Easy-select2 Documentation

Transcription:

django-debreach Documentation Release 1.4.1 Luke Pomfrey October 16, 2016

Contents 1 Installation 3 2 Configuration 5 2.1 CSRF token masking (for Django < 1.10)................................ 5 2.2 Content length modification....................................... 6 i

ii

django-debreach Documentation, Release 1.4.1 Basic/extra mitigation against the BREACH attack for Django projects. When combined with rate limiting in your web-server, or by using something like django-ratelimit, the techniques here should provide at least some protection against the BREACH attack. Contents 1

django-debreach Documentation, Release 1.4.1 2 Contents

CHAPTER 1 Installation Install from PyPI using: $ pip install django-debreach Add to your INSTALLED_APPS: INSTALLED_APPS = ( 'debreach', ) 3

django-debreach Documentation, Release 1.4.1 4 Chapter 1. Installation

CHAPTER 2 Configuration 2.1 CSRF token masking (for Django < 1.10) Django 1.10+ provides built-in support for masking CSRF tokens so you should use that. Including the middleware in a Django 1.10 project will raise an ImproperlyConfigured exception. To mask CSRF tokens in the template add the debreach.context_processors.csrf context processor to the end of your TEMPLATE_CONTEXT_PROCESSORS: TEMPLATE_CONTEXT_PROCESSORS = ( 'debreach.context_processors.csrf', ) And add the debreach.middleware.csrfcryptmiddleware to your middleware, before django.middleware.csrf.csrfmiddleware: MIDDLEWARE_CLASSES = ( 'debreach.middleware.csrfcryptmiddleware', 'django.middleware.csrf.csrfmiddleware', ) This works by xor-ing the CSRF token when it is added to the template, so that {% csrf_token %} now produces a hidden field with a value that is "<random-string>$<actual-csrf-token-xor-ed-with-random-string>". Then, when the form is POSTed, the middleware xors the CSRF token back into it s original form. This ensures that the CSRF content is never the same between requests. If you are passing the token using the X-CSRFToken header (e.g. using XHR) that header will also be processed in the same way. Note that values that are unchanged by django-debreach, or rather, don t contain a delimiting $, will be left unmodified. The middleware will also not operate on views marked as being exempt from CSRF protection using the django.views.decorators.csrf.csrf_exempt decorator. 2.1.1 CSRF protection using csrf_protect If you don t use the CSRF middleware from django but, instead, apply the django.views.decorators.csrf.csrf_protect decorator to selected views, and don t want to use the debreach.middleware.csrfcryptmiddleware, then you can use the debreach.decorators.csrf_decrypt decorator. 5

django-debreach Documentation, Release 1.4.1 To use the debreach.decorators.csrf_decrypt decorator simply wrap your CSRF protected view with the decorator, like so: @csrf_protect @csrf_decrypt def view(request, *args, **kwargs): return HttpResponse('') 2.2 Content length modification django-debreach also enables you to counter the BREACH attack by randomising the content length of each response. This is acheived by adding a random string of between 12 and 25 characters as a comment to the end of the HTML content. Note that this will only be applied to responses with a content type of text/html. To enable content length modification for all responses, add the debreach.middleware.randomcommentmiddleware to the start of your middleware, but after the GzipMiddleware if you are using that.: MIDDLEWARE_CLASSES = ( 'debreach.middleware.randomcommentmiddleware', ) or: MIDDLEWARE_CLASSES = ( 'django.middleware.gzip.gzipmiddleware', 'debreach.middleware.randomcommentmiddleware', ) If you wish to disable this feature for selected views, simply apply the debreach.decorators.random_comment_exempt decorator to the view. If you only want to protect a subset of views with content length modification then it may be easier to not use the middleware, but to selectively apply the debreach.decorators.append_random_comment decorator to the views you want protected. 6 Chapter 2. Configuration

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback