0%

Full Stack Python Security: Cryptography, TLS, and attack resistance teaches you everything you need to secure Python and Django-based web apps. In it, seasoned security pro Dennis Byrne demystifies complex security terms and algorithms. Starting with a clear review of cryptographic foundations, you’ll learn how to implement layers of defense, secure user authentication and third-party access, and protect your applications against common hacks.

Table of Contents

  1. Full Stack Python Security
  2. Copyright
  3. contents
  4. front matter
    1. preface
    2. acknowledgments
    3. about this book
    4. Who should read this book
    5. How this book is organized: A roadmap
    6. About the code
    7. liveBook discussion forum
    8. about the author
    9. about the cover illustration
  5. 1 Defense in depth
    1. 1.1 Attack surface
    2. 1.2 Defense in depth
    3. 1.2.1 Security standards
    4. 1.2.2 Best practices
    5. 1.2.3 Security fundamentals
    6. 1.3 Tools
    7. 1.3.1 Staying practical
    8. Summary
  6. Part 1 Cryptographic foundations
  7. 2 Hashing
    1. 2.1 What is a hash function?
    2. 2.1.1 Cryptographic hash function properties
    3. 2.2 Archetypal characters
    4. 2.3 Data integrity
    5. 2.4 Choosing a cryptographic hash function
    6. 2.4.1 Which hash functions are safe?
    7. 2.4.2 Which hash functions are unsafe?
    8. 2.5 Cryptographic hashing in Python
    9. 2.6 Checksum functions
    10. Summary
  8. 3 Keyed hashing
    1. 3.1 Data authentication
    2. 3.1.1 Key generation
    3. 3.1.2 Keyed hashing
    4. 3.2 HMAC functions
    5. 3.2.1 Data authentication between parties
    6. 3.3 Timing attacks
    7. Summary
  9. 4 Symmetric encryption
    1. 4.1 What is encryption?
    2. 4.1.1 Package management
    3. 4.2 The cryptography package
    4. 4.2.1 Hazardous materials layer
    5. 4.2.2 Recipes layer
    6. 4.2.3 Key rotation
    7. 4.3 Symmetric encryption
    8. 4.3.1 Block ciphers
    9. 4.3.2 Stream ciphers
    10. 4.3.3 Encryption modes
    11. Summary
  10. 5 Asymmetric encryption
    1. 5.1 Key-distribution problem
    2. 5.2 Asymmetric encryption
    3. 5.2.1 RSA public-key encryption
    4. 5.3 Nonrepudiation
    5. 5.3.1 Digital signatures
    6. 5.3.2 RSA digital signatures
    7. 5.3.3 RSA digital signature verification
    8. 5.3.4 Elliptic-curve digital signatures
    9. Summary
  11. 6 Transport Layer Security
    1. 6.1 SSL? TLS? HTTPS?
    2. 6.2 Man-in-the-middle attack
    3. 6.3 The TLS handshake
    4. 6.3.1 Cipher suite negotiation
    5. 6.3.2 Key exchange
    6. 6.3.3 Server authentication
    7. 6.4 HTTP with Django
    8. 6.4.1 The DEBUG setting
    9. 6.5 HTTPS with Gunicorn
    10. 6.5.1 Self-signed public-key certificates
    11. 6.5.2 The Strict-Transport-Security response header
    12. 6.5.3 HTTPS redirects
    13. 6.6 TLS and the requests package
    14. 6.7 TLS and database connections
    15. 6.8 TLS and email
    16. 6.8.1 Implicit TLS
    17. 6.8.2 Email client authentication
    18. 6.8.3 SMTP authentication credentials
    19. Summary
  12. Part 2 Authentication and authorization
  13. 7 HTTP session management
    1. 7.1 What are HTTP sessions?
    2. 7.2 HTTP cookies
    3. 7.2.1 Secure directive
    4. 7.2.2 Domain directive
    5. 7.2.3 Max-Age directive
    6. 7.2.4 Browser-length sessions
    7. 7.2.5 Setting cookies programmatically
    8. 7.3 Session-state persistence
    9. 7.3.1 The session serializer
    10. 7.3.2 Simple cache-based sessions
    11. 7.3.3 Write-through cache-based sessions
    12. 7.3.4 Database-based session engine
    13. 7.3.5 File-based session engine
    14. 7.3.6 Cookie-based session engine
    15. Summary
  14. 8 User authentication
    1. 8.1 User registration
    2. 8.1.1 Templates
    3. 8.1.2 Bob registers his account
    4. 8.2 User authentication
    5. 8.2.1 Built-in Django views
    6. 8.2.2 Creating a Django app
    7. 8.2.3 Bob logs into and out of his account
    8. 8.3 Requiring authentication concisely
    9. 8.4 Testing authentication
    10. Summary
  15. 9 User password management
    1. 9.1 Password-change workflow
    2. 9.1.1 Custom password validation
    3. 9.2 Password storage
    4. 9.2.1 Salted hashing
    5. 9.2.2 Key derivation functions
    6. 9.3 Configuring password hashing
    7. 9.3.1 Native password hashers
    8. 9.3.2 Custom password hashers
    9. 9.3.3 Argon2 password hashing
    10. 9.3.4 Migrating password hashers
    11. 9.4 Password-reset workflow
    12. Summary
  16. 10 Authorization
    1. 10.1 Application-level authorization
    2. 10.1.1 Permissions
    3. 10.1.2 User and group administration
    4. 10.2 Enforcing authorization
    5. 10.2.1 The low-level hard way
    6. 10.2.2 The high-level easy way
    7. 10.2.3 Conditional rendering
    8. 10.2.4 Testing authorization
    9. 10.3 Antipatterns and best practices
    10. Summary
  17. 11 OAuth 2
    1. 11.1 Grant types
    2. 11.1.1 Authorization code flow
    3. 11.2 Bob authorizes Charlie
    4. 11.2.1 Requesting authorization
    5. 11.2.2 Granting authorization
    6. 11.2.3 Token exchange
    7. 11.2.4 Accessing protected resources
    8. 11.3 Django OAuth Toolkit
    9. 11.3.1 Authorization server responsibilities
    10. 11.3.2 Resource server responsibilities
    11. 11.4 requests-oauthlib
    12. 11.4.1 OAuth client responsibilities
    13. Summary
  18. Part 3 Attack resistance
  19. 12 Working with the operating system
    1. 12.1 Filesystem-level authorization
    2. 12.1.1 Asking for permission
    3. 12.1.2 Working with temp files
    4. 12.1.3 Working with filesystem permissions
    5. 12.2 Invoking external executables
    6. 12.2.1 Bypassing the shell with internal APIs
    7. 12.2.2 Using the subprocess module
    8. Summary
  20. 13 Never trust input
    1. 13.1 Package management with Pipenv
    2. 13.2 YAML remote code execution
    3. 13.3 XML entity expansion
    4. 13.3.1 Quadratic blowup attack
    5. 13.3.2 Billion laughs attack
    6. 13.4 Denial of service
    7. 13.5 Host header attacks
    8. 13.6 Open redirect attacks
    9. 13.7 SQL injection
    10. 13.7.1 Raw SQL queries
    11. 13.7.2 Database connection queries
    12. Summary
  21. 14 Cross-site scripting attacks
    1. 14.1 What is XSS?
    2. 14.1.1 Persistent XSS
    3. 14.1.2 Reflected XSS
    4. 14.1.3 DOM-based XSS
    5. 14.2 Input validation
    6. 14.2.1 Django form validation
    7. 14.3 Escaping output
    8. 14.3.1 Built-in rendering utilities
    9. 14.3.2 HTML attribute quoting
    10. 14.4 HTTP response headers
    11. 14.4.1 Disable JavaScript access to cookies
    12. 14.4.2 Disable MIME type sniffing
    13. 14.4.3 The X-XSS-Protection header
    14. Summary
  22. 15 Content Security Policy
    1. 15.1 Composing a content security policy
    2. 15.1.1 Fetch directives
    3. Navigation and document directives
    4. 15.2 Deploying a policy with django-csp
    5. 15.3 Using individualized policies
    6. 15.4 Reporting CSP violations
    7. 15.5 Content Security Policy Level 3
    8. Summary
  23. 16 Cross-site request forgery
    1. 16.1 What is request forgery?
    2. 16.2 Session ID management
    3. 16.3 State-management conventions
    4. 16.3.1 HTTP method validation
    5. 16.4 Referer header validation
    6. 16.4.1 Referrer-Policy response header
    7. 16.5 CSRF tokens
    8. 16.5.1 POST requests
    9. 16.5.2 Other unsafe request methods
    10. Summary
  24. 17 Cross-Origin Resource Sharing
    1. 17.1 Same-origin policy
    2. 17.2 Simple CORS requests
    3. 17.2.1 Cross-origin asynchronous requests
    4. 17.3 CORS with django-cors-headers
    5. 17.3.1 Configuring Access-Control-Allow-Origin
    6. 17.4 Preflight CORS requests
    7. 17.4.1 Sending the preflight request
    8. 17.4.2 Sending the preflight response
    9. 17.5 Sending cookies across origins
    10. 17.6 CORS and CSRF resistance
    11. Summary
  25. 18 Clickjacking
    1. 18.1 The X-Frame-Options header
    2. 18.1.1 Individualized responses
    3. 18.2 The Content-Security-Policy header
    4. 18.2.1 X-Frame-Options versus CSP
    5. 18.3 Keeping up with Mallory
    6. Summary
  26. index
44.203.219.117