Securing the Django admin
This post is followed by this article. In this post, we want to add security features to our Django admin site.
Make secure your Admin
- Change Admin URL
- Change it to something difficult to guess. Keeping /admin/ makes your site easy to profile and is an easy starting point for attackers.
- Action
# urls.py url(r'^admin/', admin.site.urls),
- Secure or Remove Admin Docs
- Your site docs tell a lot about your site and how it’s constructed
- Change or remove the URL to help protect your site
- Action
# urls.py django.contrib.admindocs.urls
- Only Allow Access over HTTPS
- Without HTTPS/SSL it would be trivial to sniff your admin’s username and password
- Action
# settings.py SECURE_SSL_DIRECT = True SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True
- Limit Access Based on IP
- Most if not all web servers provide a way to limit access to a URL based on IP
- This logic could also be put into middleware too
- Action
- Procedure changes based on your server
- Use django-admin-honeypot
- django-admin-honeypot is a fake Django admin login screen to log and notify admins of attempted unauthorized access
- Action
- Use strong passwords
- django-passwords is a reusable app that provides a form field and validators that check the strength of a password
- Action
Leave a comment