Understanding Django Runserver Vulnerabilities

Asked 2 years ago, Updated 2 years ago, 101 views

I am trying to develop a web application in Django.So I was curious about the security of the runserver.

Even though it's for development, I started the server, so I thought it might be a risk of being attacked or not.(I'm sorry that I might be saying such nonsense because I don't know much about this area.)
The attacks here refer to the leakage of code developed through the server and the leakage of information about the device being developed.

If it is not zero, is there any case of attack?(I looked it up and couldn't find anything in particular.)
Also, I would appreciate it if you could advise me that if I do this, the risk will be reduced.

python django security

2022-09-29 20:25

1 Answers

Have you ever been attacked?

I've never heard of a server being attacked in a personal development environment.

Django servers (ports) that you do not publish to the outside world cannot be accessed directly from the outside world.Publication = Permission to access from outside, so of course.So you have to access it indirectly in some way, but if there is a way to do that, it's not easy for an attacker to find it.

Unless it's a server that's worth the effort to attack, otherwise no attacker would put the effort into it.Further access should not result in fatal damage if the app itself is not heavily vulnerable.Therefore, the likelihood of being attacked and the expected damage caused by the attack are very low.

However, it is rarely said that this is 100% safe (not limited to Django).There is a possibility that there is an internal crime, and there is a possibility that Django will be accessed from the Wi-Fi that can be used without setting the password at home... is not zero.There are many possibilities.

Also, the level of security required for local development and disclosure to many and unspecified people is completely different.Financial apps require very high levels.

Therefore, you don't have to worry too much about local development, but you need to be careful when publishing it to many and unspecified people.Vulnerabilities may be found in the latest Django, which requires an urgent upgrade.

Also, I would appreciate it if you could advise me that if I do this, the risk will be reduced.

By default, Django should not accept access from non-local hosts.If you're worried, you might want to keep this restriction in the development stage.

The Django document explains how to secure Django-based web applications.

https://docs.djangoproject.com/en/2.2/topics/security/

Incidentally, we previously developed a vulnerable Django application and published it on GitHub.

https://github.com/k-tamura/easybuggy4django

Of course, it was full of vulnerabilities during development, but it wasn't attacked at all :-), but it would be terrible if you posted something moving on the Internet.


2022-09-29 20:25

If you have any answers or tips


© 2024 OneMinuteCode. All rights reserved.