SlideShare une entreprise Scribd logo

Front end-security

Télécharger en tant que PPT, PDF
Miao Siyu
Miao Siyu

A basic introduction for front-end security including XSS, CSRF and CLickJacking

TechnologieDesign
1  sur  17
Web Front End Security Miao Siyu benben772009@hotmail.com
Web Front End Hacking  Cross site scripting(XSS)  Cross site request forgery(CSRF)  Hijack Hey, social engineering is as dangerous (or more dangerous ) !
Web basic  URL  HTTP protocal & headers blacklist for js setting headers: not every header can be set by js  HTML, DOM & iframe  local data storage & cookies sub domian, path, http-only cookie, secure cookie  javascript: Action with DOM, cookies, form, XMLHttpRequest...  CSS  Actionscript, PDF...
Same-origin policy  A combination of protocal, hostname, and port number.  Apply on DOM, Cookie, XMLHttpRequest, robots.txt
Same-origin policy Relaxing the same-origin policy:  document.domain property: orders.example.com & catalog.example.com  Cross-Origin Resource Sharing: Origin response header  Cross-document messaging  JSONP: <script> element Access-Control-Allow-
XSS: inject client-side scripts into web pages Types:  Non-persistent  Persistent  DOM XSS not nessararilly script, maybe also <img>(encode js as image)...
CSRF:unauthorized commands are transmitted from a user that the website trusts  GET: ajax, src (img, iframe...)...  POST: form  JSONP: callback / Array
HiJacking: UI redress attack transparent layer + iframe  clickjacking  drag&dropjacking  tapjacking
Finding vulnerability (XSS)  Input point, output point, payload & vulnerability scanner  xss filtering  fuzzing: finding DOM vulnerability
Finding vulnerability (XSS) "saying the same words using another language"  self decoding: careful about the context html:hex &#xH, decimal &#D, HtmlEncode javascript:Unicode uH, hex xH,  special tag: textarea, iframe, noscipt, noframes, xmp, plaintext  charsets  escape / unescape
Html5     new tag new attr history api & short url web worker
Web worm  XSS  CSRF  ClickJacking
Defending  X-Frame-Options: Limitation on be included by iframe (ClickJacking)  X_XSS_Protection: Detecting attack from url (Reflection XSS)  X_Content-Security-Policy(CSP): divided html,css & script (XSS)  Divided sub domains  HTTPS  HttpOnly Cookie  Captcha  Referer checking  Session time  CSRF token  Frame Busting  NoScript plugin And, not believe anyone easily !
Security in Django XSS: protection: Django templates escape specific characters dangerous case: safe, <style class={{ var }}></style> while var = class1 onmouseover = javascript:func()
Security in Django CSRF: protection: post form/ajax with csrf_token, csrf_middleware checking the referer
Security in Django Clickjacking: protection: X-Frame-Options middleware
Security in Django SQL Injection SSL/HTTPS Host Header Validation Session Security ...

Recommandé

JavaScript - Chapter 7 - Advanced Functions
JavaScript - Chapter 7 - Advanced Functions JavaScript - Chapter 7 - Advanced Functions
JavaScript - Chapter 7 - Advanced Functions
WebStackAcademy
 
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPM
Bhargav Anadkat
 
Service workers
Service workersService workers
Service workers
jungkees
 
Node.js Express
Node.js ExpressNode.js Express
Node.js Express
Eyal Vardi
 
Documenting your REST API with Swagger - JOIN 2014
Documenting your REST API with Swagger - JOIN 2014Documenting your REST API with Swagger - JOIN 2014
Documenting your REST API with Swagger - JOIN 2014
JWORKS powered by Ordina
 
Web development
Web developmentWeb development
Web development
RaziyaChoudhary
 
Intro To React Native
Intro To React NativeIntro To React Native
Intro To React Native
FITC
 
Docker swarm
Docker swarmDocker swarm
Docker swarm
Alberto Guimarães Viana
 

Recommandé

JavaScript - Chapter 7 - Advanced Functions
JavaScript - Chapter 7 - Advanced Functions JavaScript - Chapter 7 - Advanced Functions
JavaScript - Chapter 7 - Advanced Functions
WebStackAcademy
 
Basic Concept of Node.js & NPM
Basic Concept of Node.js & NPMBasic Concept of Node.js & NPM
Basic Concept of Node.js & NPM
Bhargav Anadkat
 
Service workers
Service workersService workers
Service workers
jungkees
 
Node.js Express
Node.js ExpressNode.js Express
Node.js Express
Eyal Vardi
 
Documenting your REST API with Swagger - JOIN 2014
Documenting your REST API with Swagger - JOIN 2014Documenting your REST API with Swagger - JOIN 2014
Documenting your REST API with Swagger - JOIN 2014
JWORKS powered by Ordina
 
Web development
Web developmentWeb development
Web development
RaziyaChoudhary
 
Intro To React Native
Intro To React NativeIntro To React Native
Intro To React Native
FITC
 
Docker swarm
Docker swarmDocker swarm
Docker swarm
Alberto Guimarães Viana
 
Node js overview
Node js overviewNode js overview
Node js overview
Eyal Vardi
 
Mean full stack development
Mean full stack developmentMean full stack development
Mean full stack development
Scott Lee
 
React&redux
React&reduxReact&redux
React&redux
Blank Chen
 
RxJS - The Basics & The Future
RxJS - The Basics & The FutureRxJS - The Basics & The Future
RxJS - The Basics & The Future
Tracy Lee
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golang
Bo-Yi Wu
 
Ruby on Rails Presentation
Ruby on Rails PresentationRuby on Rails Presentation
Ruby on Rails Presentation
adamcookeuk
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node js
Akshay Mathur
 
Node js introduction
Node js introductionNode js introduction
Node js introduction
Joseph de Castelnau
 
GraphQL-ify your APIs
GraphQL-ify your APIsGraphQL-ify your APIs
GraphQL-ify your APIs
Soham Dasgupta
 
Service Worker Presentation
Service Worker PresentationService Worker Presentation
Service Worker Presentation
Kyle Dorman
 
Web Application Introduction
Web Application IntroductionWeb Application Introduction
Web Application Introduction
shaojung
 
Web-Development-ppt (1).pptx
Web-Development-ppt (1).pptxWeb-Development-ppt (1).pptx
Web-Development-ppt (1).pptx
RaihanUddin57
 
Firebase & SwiftUI Workshop
Firebase & SwiftUI WorkshopFirebase & SwiftUI Workshop
Firebase & SwiftUI Workshop
Peter Friese
 
gRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at SquaregRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at Square
Apigee | Google Cloud
 
TypeScript Overview
TypeScript OverviewTypeScript Overview
TypeScript Overview
Aniruddha Chakrabarti
 
Go Concurrency
Go ConcurrencyGo Concurrency
Go Concurrency
jgrahamc
 
Introduction to Web Development
Introduction to Web DevelopmentIntroduction to Web Development
Introduction to Web Development
Parvez Mahbub
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
PradeepDyavannanavar
 
Redis cluster
Redis clusterRedis cluster
Redis cluster
iammutex
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
Amit Manwade
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
Erlend Oftedal
 

Contenu connexe

Tendances

Service Worker Presentation
Service Worker PresentationService Worker Presentation
Service Worker Presentation
Kyle Dorman
 
Firebase & SwiftUI Workshop
Firebase & SwiftUI WorkshopFirebase & SwiftUI Workshop
Firebase & SwiftUI Workshop
Peter Friese
 

Tendances (20)

Node js overview
Node js overviewNode js overview
Node js overview
 
Mean full stack development
Mean full stack developmentMean full stack development
Mean full stack development
 
React&redux
React&reduxReact&redux
React&redux
 
RxJS - The Basics & The Future
RxJS - The Basics & The FutureRxJS - The Basics & The Future
RxJS - The Basics & The Future
 
Write microservice in golang
Write microservice in golangWrite microservice in golang
Write microservice in golang
 
Ruby on Rails Presentation
Ruby on Rails PresentationRuby on Rails Presentation
Ruby on Rails Presentation
 
Introduction to Node js
Introduction to Node jsIntroduction to Node js
Introduction to Node js
 
Node js introduction
Node js introductionNode js introduction
Node js introduction
 
GraphQL-ify your APIs
GraphQL-ify your APIsGraphQL-ify your APIs
GraphQL-ify your APIs
 
Service Worker Presentation
Service Worker PresentationService Worker Presentation
Service Worker Presentation
 
Web Application Introduction
Web Application IntroductionWeb Application Introduction
Web Application Introduction
 
Web-Development-ppt (1).pptx
Web-Development-ppt (1).pptxWeb-Development-ppt (1).pptx
Web-Development-ppt (1).pptx
 
Firebase & SwiftUI Workshop
Firebase & SwiftUI WorkshopFirebase & SwiftUI Workshop
Firebase & SwiftUI Workshop
 
gRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at SquaregRPC: The Story of Microservices at Square
gRPC: The Story of Microservices at Square
 
TypeScript Overview
TypeScript OverviewTypeScript Overview
TypeScript Overview
 
Go Concurrency
Go ConcurrencyGo Concurrency
Go Concurrency
 
Introduction to Web Development
Introduction to Web DevelopmentIntroduction to Web Development
Introduction to Web Development
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Redis cluster
Redis clusterRedis cluster
Redis cluster
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
 

Similaire à Front end-security

Dom based xss
Dom based xssDom based xss
Dom based xss
Lê Giáp
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Xlator
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 

Similaire à Front end-security (20)

04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
XSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing toolXSS-Alert-Pentration testing tool
XSS-Alert-Pentration testing tool
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Secure java script-for-developers
Secure java script-for-developersSecure java script-for-developers
Secure java script-for-developers
 
Talk about html5 security
Talk about html5 securityTalk about html5 security
Talk about html5 security
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
[Poland] It's only about frontend
[Poland] It's only about frontend[Poland] It's only about frontend
[Poland] It's only about frontend
 
Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)Application Security for Rich Internet Applicationss (Jfokus 2012)
Application Security for Rich Internet Applicationss (Jfokus 2012)
 

Dernier

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Dernier (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 

Front end-security

  • 1. Web Front End Security Miao Siyu benben772009@hotmail.com
  • 2. Web Front End Hacking  Cross site scripting(XSS)  Cross site request forgery(CSRF)  Hijack Hey, social engineering is as dangerous (or more dangerous ) !
  • 3. Web basic  URL  HTTP protocal & headers blacklist for js setting headers: not every header can be set by js  HTML, DOM & iframe  local data storage & cookies sub domian, path, http-only cookie, secure cookie  javascript: Action with DOM, cookies, form, XMLHttpRequest...  CSS  Actionscript, PDF...
  • 4. Same-origin policy  A combination of protocal, hostname, and port number.  Apply on DOM, Cookie, XMLHttpRequest, robots.txt
  • 5. Same-origin policy Relaxing the same-origin policy:  document.domain property: orders.example.com & catalog.example.com  Cross-Origin Resource Sharing: Origin response header  Cross-document messaging  JSONP: <script> element Access-Control-Allow-
  • 6. XSS: inject client-side scripts into web pages Types:  Non-persistent  Persistent  DOM XSS not nessararilly script, maybe also <img>(encode js as image)...
  • 7. CSRF:unauthorized commands are transmitted from a user that the website trusts  GET: ajax, src (img, iframe...)...  POST: form  JSONP: callback / Array
  • 8. HiJacking: UI redress attack transparent layer + iframe  clickjacking  drag&dropjacking  tapjacking
  • 9. Finding vulnerability (XSS)  Input point, output point, payload & vulnerability scanner  xss filtering  fuzzing: finding DOM vulnerability
  • 10. Finding vulnerability (XSS) "saying the same words using another language"  self decoding: careful about the context html:hex &#xH, decimal &#D, HtmlEncode javascript:Unicode uH, hex xH,  special tag: textarea, iframe, noscipt, noframes, xmp, plaintext  charsets  escape / unescape
  • 12. Web worm  XSS  CSRF  ClickJacking
  • 13. Defending  X-Frame-Options: Limitation on be included by iframe (ClickJacking)  X_XSS_Protection: Detecting attack from url (Reflection XSS)  X_Content-Security-Policy(CSP): divided html,css & script (XSS)  Divided sub domains  HTTPS  HttpOnly Cookie  Captcha  Referer checking  Session time  CSRF token  Frame Busting  NoScript plugin And, not believe anyone easily !
  • 14. Security in Django XSS: protection: Django templates escape specific characters dangerous case: safe, <style class={{ var }}></style> while var = class1 onmouseover = javascript:func()
  • 15. Security in Django CSRF: protection: post form/ajax with csrf_token, csrf_middleware checking the referer
  • 16. Security in Django Clickjacking: protection: X-Frame-Options middleware
  • 17. Security in Django SQL Injection SSL/HTTPS Host Header Validation Session Security ...