A collection of Django security-related tools and topics. If you are concerned about security and use django for productivity, this can be of help.
If you'd like to contribute to this list, simply open a PR with your additions.
Maintained by @tcostam. If you have contributions but don't have the time, give me a shout at twitter
- Django Secure Auth: Secure authentication by TOTP, SMS, Codes & Question. Login protected by IP ranges and with captcha
- Django MFA2: A Django app that handles MFA, it supports TOTP, U2F, FIDO2 U2F (Webauthn), Email Token and Trusted Devices
- Django Two Factor Auth: Django Two Factor Auth: Complete Two-Factor Authentication for Django providing the easiest integration into most Django projects
- Django Defender: A simple super fast django reusable app that blocks people from brute forcing login attempts
- Django Axes: Keep track of failed login attempts in Django-powered sites
- Django Registration: django-registration is an extensible application providing user registration functionality for Django-powered Web sites
- Django Session Activity: List recent account activity and sign-out from all sessions opened on other computers
- Django Restricted Sessions: Restrict Django sessions to IP and/or user agent
- Django Ratelimit Backend: Rate-limit your login attempts at the authentication backend level
- Django Session Security: Django Session Security: user's page activity monitoring for logging him out
- Django Simple Captcha
- DjangoRestFramework Api Key: API key permissions for the Django REST Framework
- Django Rules: flexible and scalable Django authorization backend for unified per object permission management
- Django Rules: provides object-level permissions to Django, without requiring a database
- Django Role Permissions: A django app for role based permissions
- Dry Rest Permissions: Dry Rest Permissions: Rules based permissions for the Django Rest Framework
- Django Guardian: implementation of per-object permissions on top of Django's authorization backend.
- Django Authority: A Django app that provides generic per-object-permissions for Django's auth app and helpers to create custom permission checks
- Django Permission: An enhanced permission system which support object permission in Django
- Django Rulez: A lean and mean object-level rules system for the Django framework
- Django Admin Honeypot: django-admin-honeypot is a fake Django admin login screen to log and notify admins of attempted unauthorized access
- Django Honeypot: Django Honeypot: Generic honeypot utilities for use in django projects
- Django Cryptography: Easily encrypt data in Django
- Django Safe Filefield: Secure file field, which allows you to restrict uploaded file extensions
- Django Random Filestorage: Django storage class that assigns random filenames to all stored files
- Django Security: A collection of models, views, middlewares, and forms to help secure a Django project.
- Django Sudo: Extra security for your sensitive pages
- Django Impersonate: Simple app to allow superusers to login as other (non-superuser) accounts via a quick user switch process
- Wemake Django Template: Bleeding edge django template focused on code quality and security
- Django SSLify: Force SSL on your Django site
- Django Stronghold: Make all your Django views default login_required
- Django Lockdown: Django Lockdown: Lock down a Django site or individual views, with configurable preview authorization
- Impostor: Django app that enables staff to log in as other users using their own credentials
- Django Primate: A Modular Django User
- Django HTML Sanitizer: A set of HTML input sanitization or cleaning utilities for django models, forms and templates
- Django Rules Light: This is a simple alternative to django-rules. The core difference is that it uses as registry that can be modified on runtime, instead of database models.
- Django Inspectional Registration: Django registration app with Inspection before activation
- Django Mongo Auth: Django authentication based on an extensible MongoEngine user class
- HTML Sanitizer: Allowlist-based HTML cleaner
- Bleach: Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes
- Django Trawler: This app is used to send out phishing emails and collect data on which recipients acted on them
- Pony Checkup: basic automated security checkup for Django websites
- SSL Checker: diagnose problems with your SSL certificate installation
- Safety: check your dependencies for known security vulnerabilities
- Mozilla Observatory: The Mozilla Observatory is a set of tools to analyze your website and inform you if you are utilizing the many available methods to secure it.
- Snyk: CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies
- Django Debreach: Basic/extra mitigation against the BREACH attack for Django projects
- Django CVEs
- Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)
- Django Security Tips: Learn and promote secure system administration tips and practices in the Django community
- OWASP Python Security Project
- Django Docs: Security in Django
- Django Packages: Security
- Deployment checklist
- Mozilla's tutorial on Django web application security
- What You Need to Know to Manage Users in Django Admin
- MDN - Django web application security
- Protect Your Django Web Application From Security Threats
- 10 tips for making the Django Admin more secure
- Tips and Tools for Securing Django
- Django in the wild: tips for deployment survival
- Django Web Application Security
- Django in the real world
- XSS Exploitation in Django Applications