1 minute read

This post is followed by this article. In this post, we want to add security features to our Django admin site.

Make secure your Admin

  • Change Admin URL
    • Change it to something difficult to guess. Keeping /admin/ makes your site easy to profile and is an easy starting point for attackers.
    • Action
        # urls.py 
        url(r'^admin/', admin.site.urls),
      
  • Secure or Remove Admin Docs
    • Your site docs tell a lot about your site and how it’s constructed
    • Change or remove the URL to help protect your site
    • Action
        # urls.py
        django.contrib.admindocs.urls
      
  • Only Allow Access over HTTPS
    • Without HTTPS/SSL it would be trivial to sniff your admin’s username and password
    • Action
        # settings.py 
        SECURE_SSL_DIRECT = True
        SESSION_COOKIE_SECURE = True 
        CSRF_COOKIE_SECURE = True 
      
  • Limit Access Based on IP
    • Most if not all web servers provide a way to limit access to a URL based on IP
    • This logic could also be put into middleware too
    • Action
      • Procedure changes based on your server
  • Use django-admin-honeypot
  • Use strong passwords
    • django-passwords is a reusable app that provides a form field and validators that check the strength of a password
    • Action

Leave a comment