Skip to content

Commit

Permalink
DjangoCheatSheet - modification of admin panel url (OWASP#1261)
Browse files Browse the repository at this point in the history
  • Loading branch information
Cmaiek authored Dec 14, 2023
1 parent a6e03a0 commit ce70cf6
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 2 deletions.
2 changes: 1 addition & 1 deletion CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ When submitting changes in a PR, consider the following areas:
### Language

- Use US English.
- Spell check before submitted a PR.
- Spell check before submitting a PR.
- Try and keep the language relatively simple to make it easier for non-native speakers
- Define any non-ubiquitous acronyms when they are first used.
- This is not necessary for extremely common acronyms such as "HTTP" or "URL".
Expand Down
8 changes: 7 additions & 1 deletion cheatsheets/Django_Security_Cheat_Sheet.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ The Django framework provides some built-in security features that aim to be sec

- Always keep Django and your application's dependencies up-to-date to keep up with security vulnerabilities.
- Ensure that the application is never in `DEBUG` mode in a production environment. Never run `DEBUG = True` in production.
- Use packages like [`django_ratelimit`](https://django-ratelimit.readthedocs.io/en/stable/) to prevent brute-force attacks.
- Use packages like [`django_ratelimit`](https://django-ratelimit.readthedocs.io/en/stable/) or [`django-axes`](https://django-axes.readthedocs.io/en/latest/index.html) to prevent brute-force attacks.

## Authentication

Expand Down Expand Up @@ -161,6 +161,12 @@ The recommendations in this section are in addition to XSS recommendations alrea
- Set the `SECURE_SSL_REDIRECT = True` in the `settings.py` file to ensure that all communication is over HTTPS. This will redirect any HTTP requests automatically to HTTPS. This is also a 301 (permanent) redirect, so your browser will remember the redirect for subsequent requests.
- If your Django application is behind a proxy or load balancer, set the `SECURE_PROXY_SSL_HEADER` setting to `TRUE` so that Django can detect the original request's protocol. For futher details refer to [SECURE_PROXY_SSL_HEADER documentation](https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header).

## Admin panel URL

It is advisable to modify the default URL leading to the admin panel (example.com/admin/), in order to slightly increase the difficulty for automated attacks. Here’s how to do it:

In the default app folder within your project, locate the `urls.py` file managing the top-level URLs. Within the file, modify the `urlpatterns` variable, a list, so that the URL leading to `admin.site.urls` is different from "admin/". This approach adds an extra layer of security by obscuring the common endpoint used for administrative access.

## References

Additional documentation -
Expand Down

0 comments on commit ce70cf6

Please sign in to comment.