pacnpal/thrillwiki_django_no_react
1
1
Fork 0
mirror of https://github.com/pacnpal/thrillwiki_django_no_react.git synced 2025-12-22 19:11:08 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
2e35f8c5d9745d2781cbf5ed6f59fba1f841b435
thrillwiki_django_no_react/docs/SECURITY_CHECKLIST.md
pacnpal 2e35f8c5d9 feat: Refactor rides app with unique constraints, mixins, and enhanced documentation 
- Added migration to convert unique_together constraints to UniqueConstraint for RideModel.
- Introduced RideFormMixin for handling entity suggestions in ride forms.
- Created comprehensive code standards documentation outlining formatting, docstring requirements, complexity guidelines, and testing requirements.
- Established error handling guidelines with a structured exception hierarchy and best practices for API and view error handling.
- Documented view pattern guidelines, emphasizing the use of CBVs, FBVs, and ViewSets with examples.
- Implemented a benchmarking script for query performance analysis and optimization.
- Developed security documentation detailing measures, configurations, and a security checklist.
- Compiled a database optimization guide covering indexing strategies, query optimization patterns, and computed fields.
2025-12-22 11:17:31 -05:00

3.7 KiB
Raw Blame History

ThrillWiki Security Checklist

Use this checklist for code reviews and pre-deployment verification.

Pre-Deployment Checklist

Django Settings

  • DEBUG = False
  • SECRET_KEY is unique and strong (50+ characters)
  • ALLOWED_HOSTS is configured (no wildcards)
  • CSRF_TRUSTED_ORIGINS is configured
  • SECURE_SSL_REDIRECT = True
  • SECURE_HSTS_SECONDS >= 31536000 (1 year)
  • SECURE_HSTS_INCLUDE_SUBDOMAINS = True
  • SECURE_HSTS_PRELOAD = True

Cookie Security

  • SESSION_COOKIE_SECURE = True
  • SESSION_COOKIE_HTTPONLY = True
  • SESSION_COOKIE_SAMESITE = 'Strict'
  • CSRF_COOKIE_SECURE = True
  • CSRF_COOKIE_SAMESITE = 'Strict'

Database

  • Database password is strong
  • Database connection uses SSL
  • Database user has minimal required permissions
  • No raw SQL with user input

Environment

  • Environment variables are used for secrets
  • No secrets in version control
  • .env file is in .gitignore
  • Production logs don't contain sensitive data

Code Review Checklist

Input Validation

  • All user input is validated
  • File uploads use validate_image_upload()
  • User-generated HTML uses |sanitize filter
  • URLs are validated with sanitize_url()
  • Form data uses Django forms/serializers

Output Encoding

  • No |safe filter on user-controlled content
  • JSON data uses json_script tag
  • JavaScript strings use escapejs filter
  • SVG icons use |sanitize_svg filter

Authentication

  • Sensitive views require @login_required
  • API views have appropriate permission_classes
  • Password changes invalidate sessions
  • Rate limiting on auth endpoints

Authorization

  • Object-level permissions checked
  • Users can only access their own data
  • Admin actions require proper permissions
  • No privilege escalation paths

Data Protection

  • Sensitive data not logged
  • PII masked in logs
  • Error messages don't expose internals
  • Secure deletion of sensitive data

CSRF

  • All forms include {% csrf_token %}
  • AJAX requests include CSRF header
  • CSRF exemptions are documented and justified

SQL Injection

  • No raw SQL with user input
  • No .extra() with user input
  • Parameterized queries for raw SQL
  • Django ORM used for queries

Incident Response

If a Vulnerability is Found

  1. Document the vulnerability
  2. Assess impact and affected users
  3. Develop and test a fix
  4. Deploy fix to production
  5. Notify affected users if needed
  6. Post-mortem analysis

If a Breach is Suspected

  1. Isolate affected systems
  2. Preserve logs and evidence
  3. Notify relevant parties
  4. Investigate scope
  5. Remediate and restore
  6. Document lessons learned

Regular Security Tasks

Weekly

  • Review error logs for anomalies
  • Check rate limiting effectiveness
  • Monitor failed login attempts

Monthly

  • Run python manage.py security_audit
  • Review and update dependencies
  • Check for security advisories

Quarterly

  • Full security review
  • Penetration testing
  • Update security documentation
  • Review and rotate secrets

Security Tools

Recommended Tools

  • OWASP ZAP: Web application scanner
  • bandit: Python security linter
  • safety: Python dependency checker
  • pip-audit: Vulnerability scanner for Python packages

Running Security Scans

# Run Django security check
python manage.py check --tag=security

# Run security audit
python manage.py security_audit --verbose

# Check for vulnerable dependencies
pip-audit

# Run Python security linter
bandit -r backend/
Reference in New Issue View Git Blame Copy Permalink