Hi Shoury I agree that this is an easy thing to change to prevent discovery of the admin. I've done it on several projects, and I saw Will Vincent mentioned it in his recent article on security: https://learndjango.com/tutorials/django-best-practices-security
Implementation-wise, perhaps we could add another system check that checks if /admin is routed to the admin, and recommends it be changed if so. That said, such a check would not apply in every situation. I've seen Django projects that are *only* the admin, or that only exist on an internal trusted network, and there the '/admin' URL may be of use for discovery. We also have other possible, stronger defenses here, such as adding rate-limiting to the login page: https://code.djangoproject.com/ticket/21289 . Thanks, Adam On Tue, 10 Nov 2020 at 20:30, Arvind Nedumaran <arvindamir...@gmail.com> wrote: > The one I follow is to set an environment variable to see if it’s a public > facing instance or a private one (disconnected from the internet) and use > that as a condition, which when true will add some urls. > > It’s the same pattern you’ll follow when using something like Django debug > toolbar - where you check if debug is true and if it is, you add some more > urls to the root urlconf conf. > > Hope that helps. > > P.s. This is the mailing list for contributions to Django itself. > Questions about how to use django are better suited in the Django Users > mailing list or the forums. > > Onward, > Arvind > > On 10 Nov 2020, at 14:46, Shoury Sharma wrote: > > Hello everyone! > I was going though idea of admin page but sometimes it can be a security > concern regarding access of admin stuff by URL/admin. > I would therefore like to give a suggestions regarding the URL/admin to be > some key which only the owners would have access to so the user can never > have anyway to check admin by penetrating into it in any malicious way. > Generous regards, > Shoury Sharma > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/46bf01ff-dc32-47ff-92bc-c56c260a9f29n%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/46bf01ff-dc32-47ff-92bc-c56c260a9f29n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/10669A3E-5DBB-46C8-8CF3-411C7DC149CC%40gmail.com > <https://groups.google.com/d/msgid/django-developers/10669A3E-5DBB-46C8-8CF3-411C7DC149CC%40gmail.com?utm_medium=email&utm_source=footer> > . > -- Adam -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAMyDDM3grhVVLo6cPT71Sdb8m3rwq_GkdDzqGrpRUd%2BN0xR%2BCg%40mail.gmail.com.
