└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | 
  2 | <br/>
  3 | <div align="center">
  4 | 
  5 | [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)
  6 | 
  7 | _List inspired by the [awesome](https://github.com/sindresorhus/awesome) list thing._
  8 | 
  9 | Supported by: [Vinta Software](https://www.vinta.com.br)
 10 | </div>
 11 | <br/>
 12 | 
 13 | # Awesome Django Security
 14 | 
 15 | A collection of Django security-related tools and topics. If you are concerned about security and use django for productivity, this can be of help.
 16 | 
 17 | If you'd like to __contribute__ to this list, simply open a PR with your additions.
 18 | 
 19 | Maintained by [@tcostam](https://twitter.com/tcostam). If you have contributions but don't have the time, give me a shout at twitter
 20 | 
 21 | Table of Contents
 22 | =================
 23 | 
 24 |    * [Libs](#libs)
 25 |       * [MFA](#mfa)
 26 |       * [Session Management](#session-management)
 27 |       * [Permissions Management](#permissions-management)
 28 |       * [Honeypots](#honeypots)
 29 |       * [Cryptography](#cryptography)
 30 |       * [Storage](#storage)
 31 |       * [Other](#other)
 32 |    * [Tools](#tools)
 33 |    * [Vulnerabilities](#vulnerabilities)
 34 |    * [Guidelines](#guidelines)
 35 |    * [Documentation](#documentation)
 36 |    * [Courses](#courses)
 37 |    * [Talks](#talks)
 38 |    * [Articles](#articles)
 39 | 
 40 | ## Libs
 41 | 
 42 | ### MFA
 43 | 
 44 | * [Django Secure Auth](https://github.com/gotlium/django-secure-auth): Secure authentication by TOTP, SMS, Codes & Question. Login protected by IP ranges and with captcha
 45 | * [Django MFA2](https://github.com/mkalioby/django-mfa2): A Django app that handles MFA, it supports TOTP, U2F, FIDO2 U2F (Webauthn), Email Token and Trusted Devices
 46 | * [Django Two Factor Auth](https://github.com/Bouke/django-two-factor-auth): Django Two Factor Auth: Complete Two-Factor Authentication for Django providing the easiest integration into most Django projects
 47 | 
 48 | 
 49 | ### Session management
 50 | 
 51 | * [Django Defender](https://github.com/kencochrane/django-defender): A simple super fast django reusable app that blocks people from brute forcing login attempts
 52 | * [Django Axes](https://github.com/jazzband/django-axes): Keep track of failed login attempts in Django-powered sites
 53 | * [Django Registration](https://github.com/ubernostrum/django-registration): django-registration is an extensible application providing user registration functionality for Django-powered Web sites
 54 | * [Django Session Activity](https://github.com/nigma/django-session-activity): List recent account activity and sign-out from all sessions opened on other computers
 55 | * [Django Restricted Sessions](https://github.com/mxsasha/django-restricted-sessions): Restrict Django sessions to IP and/or user agent
 56 | * [Django Ratelimit Backend](https://github.com/brutasse/django-ratelimit-backend): Rate-limit your login attempts at the authentication backend level
 57 | * [Django Session Security](https://github.com/yourlabs/django-session-security): Django Session Security: user's page activity monitoring for logging him out
 58 | * [Django Simple Captcha](https://github.com/mbi/django-simple-captcha)
 59 | 
 60 | ### Permissions management
 61 | 
 62 | * [DjangoRestFramework Api Key](https://github.com/florimondmanca/djangorestframework-api-key): API key permissions for the Django REST Framework
 63 | * [Django Rules](https://github.com/maraujop/django-rules): flexible and scalable Django authorization backend for unified per object permission management
 64 | * [Django Rules](https://github.com/dfunckt/django-rules): provides object-level permissions to Django, without requiring a database
 65 | * [Django Role Permissions](https://github.com/vintasoftware/django-role-permissions): A django app for role based permissions
 66 | * [Dry Rest Permissions](https://github.com/dbkaplan/dry-rest-permissions): Dry Rest Permissions: Rules based permissions for the Django Rest Framework
 67 | * [Django Guardian](https://github.com/django-guardian/django-guardian): implementation of per-object permissions on top of Django's authorization backend.
 68 | * [Django Authority](https://github.com/jazzband/django-authority): A Django app that provides generic per-object-permissions for Django's auth app and helpers to create custom permission checks
 69 | * [Django Permission](https://github.com/lambdalisue/django-permission): An enhanced permission system which support object permission in Django
 70 | * [Django Rulez](https://github.com/chrisglass/django-rulez): A lean and mean object-level rules system for the Django framework
 71 | 
 72 | ### Honeypots
 73 | 
 74 | * [Django Admin Honeypot](https://github.com/dmpayton/django-admin-honeypot): django-admin-honeypot is a fake Django admin login screen to log and notify admins of attempted unauthorized access
 75 | * [Django Honeypot](https://github.com/jamesturk/django-honeypot): Django Honeypot: Generic honeypot utilities for use in django projects
 76 | 
 77 | ### Cryptography
 78 | 
 79 | * [Django Cryptography](https://github.com/georgemarshall/django-cryptography): Easily encrypt data in Django
 80 | 
 81 | ### Storage
 82 | 
 83 | * [Django Safe Filefield](https://github.com/mixkorshun/django-safe-filefield): Secure file field, which allows you to restrict uploaded file extensions
 84 | * [Django Random Filestorage](https://github.com/mxsasha/django-random-filestorage): Django storage class that assigns random filenames to all stored files
 85 | 
 86 | ### Other
 87 | 
 88 | * [Django Security](https://github.com/sdelements/django-security): A collection of models, views, middlewares, and forms to help secure a Django project.
 89 | * [Django Sudo](https://github.com/mattrobenolt/django-sudo): Extra security for your sensitive pages
 90 | * [Django Impersonate](https://bitbucket.org/petersanchez/django-impersonate/): Simple app to allow superusers to login as other (non-superuser) accounts via a quick user switch process
 91 | * [Wemake Django Template](https://github.com/wemake-services/wemake-django-template): Bleeding edge django template focused on code quality and security
 92 | * [Django SSLify](https://github.com/rdegges/django-sslify/): Force SSL on your Django site
 93 | * [Django Stronghold](https://github.com/mgrouchy/django-stronghold/): Make all your Django views default login_required
 94 | * [Django Lockdown](https://github.com/Dunedan/django-lockdown): Django Lockdown: Lock down a Django site or individual views, with configurable preview authorization
 95 | * [Impostor](https://github.com/samastur/Impostor): Django app that enables staff to log in as other users using their own credentials
 96 | * [Django Primate](https://github.com/sorl/django-primate): A Modular Django User
 97 | * [Django HTML Sanitizer](https://github.com/ui/django-html_sanitizer): A set of HTML input sanitization or cleaning utilities for django models, forms and templates
 98 | * [Django Rules Light](https://github.com/yourlabs/django-rules-light): This is a simple alternative to django-rules. The core difference is that it uses as registry that can be modified on runtime, instead of database models.
 99 | * [Django Inspectional Registration](https://github.com/lambdalisue/django-inspectional-registration): Django registration app with Inspection before activation
100 | * [Django Mongo Auth](https://github.com/mitar/django-mongo-auth): Django authentication based on an extensible MongoEngine user class
101 | * [HTML Sanitizer](https://github.com/matthiask/html-sanitizer): Allowlist-based HTML cleaner
102 | * [Bleach](https://github.com/mozilla/bleach): Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes
103 | 
104 | ## Tools
105 | 
106 | * [Django Trawler](https://bitbucket.org/onelson/django-trawler/src/default/): This app is used to send out phishing emails and collect data on which recipients acted on them
107 | * [DJ Checkup](https://djcheckup.com/): basic automated security checkup for Django websites
108 | * [SSL Checker](https://www.sslshopper.com/ssl-checker.html): diagnose problems with your SSL certificate installation
109 | * [Safety](https://pyup.io/safety/): check your dependencies for known security vulnerabilities
110 | * [Mozilla Observatory](https://observatory.mozilla.org): The Mozilla Observatory is a set of tools to analyze your website and inform you if you are utilizing the many available methods to secure it.
111 | * [Snyk](https://snyk.io): CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies
112 | 
113 | ## Vulnerabilities
114 | 
115 | * [Django Debreach](https://github.com/lpomfrey/django-debreach/): Basic/extra mitigation against the BREACH attack for Django projects
116 | * [Django CVEs](https://www.cvedetails.com/vulnerability-list/vendor_id-10199/product_id-18211/Djangoproject-Django.html)
117 | * [Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)](https://seclists.org/oss-sec/2019/q2/138)
118 | 
119 | ## Guidelines
120 | 
121 | * [Django Security Tips](https://github.com/sellonen/django-security-tips): Learn and promote secure system administration tips and practices in the Django community
122 | * [OWASP Python Security Project](http://www.pythonsecurity.org/)
123 | * [Django Security Cheat Sheet - OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/Django_Security_Cheat_Sheet.html)
124 | * [Django REST Framework (DRF) Cheat Sheet - OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/cheatsheets/Django_REST_Framework_Cheat_Sheet.html)
125 | 
126 | ## Documentation
127 | 
128 | * [Django Docs: Security in Django](https://docs.djangoproject.com/en/2.2/topics/security/)
129 | * [Django Packages: Security](https://djangopackages.org/grids/g/security/)
130 | * [Deployment checklist](https://docs.djangoproject.com/en/2.2/howto/deployment/checklist/)
131 | * [Mozilla's tutorial on Django web application security](https://developer.mozilla.org/en-US/docs/Learn/Server-side/Django/web_application_security)
132 | 
133 | ## Courses
134 | 
135 | * [Learn the secrets to defensive programming in Python and Django](https://www.synopsys.com/blogs/software-security/defensive-programming-python-django/)
136 | 
137 | ## Talks
138 | 
139 | * [Terri Oda - Python Security Tools - PyCon 2019](https://www.youtube.com/watch?v=e7zzdl8OXCU)
140 | * [Kelsey Gilmore-Innis - Making Django Ridiculously Secure (CW) - DjangoCon US 2015](https://youtu.be/H2llNbMe-V4?si=i4-OUGvOHb4cdsrq)
141 | 
142 | ## Articles
143 | 
144 | * [What You Need to Know to Manage Users in Django Admin](https://realpython.com/manage-users-in-django-admin/)
145 | * [MDN - Django web application security](https://developer.mozilla.org/en-US/docs/Learn/Server-side/Django/web_application_security)
146 | * [Protect Your Django Web Application From Security Threats](https://dzone.com/articles/protect-your-django-web-application-from-security-1)
147 | * [10 tips for making the Django Admin more secure](https://opensource.com/article/18/1/10-tips-making-django-admin-more-secure)
148 | * [Tips and Tools for Securing Django](https://www.laurencegellert.com/2019/01/tips-and-tools-for-securing-django/)
149 | * [Django in the wild: tips for deployment survival](https://medium.freecodecamp.org/django-in-the-wild-tips-for-deployment-survival-9b491081c2e4)
150 | * [Django Web Application Security](https://pt.slideshare.net/levigross/django-web-application-security)
151 | * [Django in the real world](https://pt.slideshare.net/jacobian/django-in-the-real-world/)
152 | * [XSS Exploitation in Django Applications](https://tonybaloney.github.io/posts/xss-exploitation-in-django.html)
153 | 


--------------------------------------------------------------------------------