Hi Prithviraj, I suspect the reason you haven't had a response is that there isn't much to respond to here.
Regarding integrating django-secure -- I agree that this would be a worthwhile activity; it was part of the plan for last year's GSoC project on the validation framework, but got dropped due to time constraints. However, that body of work was estimated as 2 weeks of work or less - it certainly won't be enough to sustain a GSoC project on its own. If you can propose additional checks that could be added to django-secure, that *might* bulk out your project proposal to fill the allotted time, but you'd need to propose a *lot* of new checks - and as part of your proposal process, we'd be expecting *you* to proposed which new checks you can add. As for your other suggestion -- well... you suggest implementing an "encrypted token pattern", but don't actually provide any references to describe what you actually mean. You say "it is said", but don't say *by whom*. In short -- we need a lot more detail than this before we can provide any meaningful feedback. If you've got specific questions, we're happy to answer them, but based on the information you've provided so far, all we can say is yes, improving Django's security features is a project on our wish list. Yours, Russ Magee %-) On Tue, Feb 25, 2014 at 1:25 PM, Prithviraj Billa < [email protected]> wrote: > I am eagerly waiting to hear your comments and opinions. > > Thanks, > > Prithviraj M Billa > github :: htttp://github.com/Prithvirajbilla > blog:: http://blog.prithvirajbilla.com > > > > On Sunday, February 23, 2014 9:34:15 PM UTC+5:30, Prithviraj Billa wrote: >> >> Hello Guys! >> >> >> I am planning to work on developing and improving the security features >> of Django. >> >> I would like some help in formalizing the proposal so that it will meet >> the requirements. >> > >> Things i understood how security against csrf works and how it is >> implemented in django. (please correct me if I'm wrong) >> >> >> - >> >> When ever user request a csrf_token in the HTML view or using the >> function csrf_protect(), the server creates a randomized token which is >> different for every request. (changes for requests). and we set a cookie >> csrf_token=value. >> - >> >> When a POST request is sent (or some sensitive operation is done at >> server side), we also send a hidden variable csrf_token which is validated >> against the cookie.(Double submitting cookie technique.). >> - >> >> The attacker may send the the request from the other domain on behalf >> of the user logged in, but the attack will mostly fail because he cannot >> read the session data (because of same origin policy) >> - >> >> These all operations are taken care of CSRF middleware. >> >> >> It is mentioned that you want to integrate the >> django-secure<https://github.com/carljm/django-secure>project with the >> django project. ssl redirect, security against >> clickjacking, some xss attacks were already implemented in the above >> project. Do the candidate have to improve those features or just have to >> integrate those features with the present django? >> >> How can we enhance the security measures against the csrf attacks?(I >> don't know how to enhance security the using Double submitting cookie >> technique which is already implemented in the django project). >> >> I think we can implement Encrypted token pattern to enhance the security >> against csrf attacks.It is mentioned that it allows us greater control over >> CSRF-defense, without introducing new security concerns or architectural >> problems.I'm a newbie in this area .So please let me know, If this is not a >> good idea. >> >> >> >> I like to hear your comments and opinions. >> >> Thanks, >> >> Prithviraj M Billa >> >> github: http://github.com/Prithvirajbilla >> >> blog: http://blog.prithvirajbilla.com >> >> >> -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/9ba193b8-8308-41ed-9189-576fe8480f78%40googlegroups.com > . > > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAJxq84-K_AsZ6iu6aEJ1qFLZzs-DyBP3czcb9gxbz5kfRBY6Gg%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
