Leaving the least amount of information relating to an application’s environment can help prevent data breaches and their headaches.
There are plenty of ways attackers try to gain access to sensitive information for websites. By giving up as little information about the platform as possible, we can help limit the number of attack vectors malevolent users may try. Django makes configuring applications easy so even a single line can help prevent breaches.
Django comes with a handy administration portal that can be used to view, modify, and delete data in the backend database. Acces to this portal can disrupt users or even make their information vulnerable. By default, a user needs only to navigate “/admin” to access the portal.
This page allows an attacker to recognize the platform as a Django application, allowing them to try common Django-specific attacks. A clever attacker may even recognize the version of Django running by the CSS styling on the page and use detailed and documented attacks to gain access.
One easy way to help mitigate giving this knowledge is to forego any login attempts to the admin portal directly. Instead, we can forward all login requests to the site’s normal login page just by adding a single line in the urls.py page.
# Add this line to redirect login attempts to the normal login page url(r'^admin/login/', RedirectView.as_view(url=reverse_lazy("login"))), ... # The normal admin loging sites url(r'^admin/', admin.site.urls), # The normal login page url('^login/?$', LoginView.as_view(), name='login'),
Now, if any unauthenticated user tries to go to /admin, they’ll be redirected to a normal-looking Login page, like this one:
Unlike the login form in the admin portal, this page conceals the fact that the user is interfacing with a Django application. For legitimate administrators, they can once again access the portal after authenticating by manually navigating to “/admin” again, or the website can be designed to present a link only visible to administrators that will lead them to the portal. For any other user, Django will redirect them to the homepage.
While this doesn’t cover or prevent every attack, especially attacks directly against the login, this does help to frustrate attackers by concealing data relating to the running environment, and it does so in an aesthetically pleasing way. This is just a single step, but it’s an easy one.