To re-iterate, you would get this message iff you have the correct
credentials for an end user who is not an admin user. You seem to be
referring to Response Information Discrepancy Information Exposure
(http://cwe.mitre.org/data/definitions/204.html) which is generally
about differentiating betwee
I personally like the idea of a decorator
On Mar 13, 12:30 pm, Ryan N wrote:
> I personally do not believe XFrameOptionsMiddleware should be on by
> default. There are plenty of folks using Django for simple static
> sites or RESTful APIs where clickjacking doesn't apply.
>
> I'd prefer it's some
This is awesome - very progressive and I hope other frameworks follow
suite.
Have you done a poll of users to see how many would be affected by a
"SAMEORIGIN" setting? Maybe that would be a good place to start. Is
there some other way to test the overall impact of this prior to
committing to it be
To summarize - if I understand correctly the only way a more specific
error message can result in a problem is the following scenario:
1) An attacker correctly guesses credentials for a user on the admin
site
2) The attacker does not try to authenticate with the same credentials
on the regular site
let users know
that brute-force prevention doesn't come out of the box. Does that
sound fair?
On Mar 8, 4:10 am, Michael Radziej wrote:
> On Mon, 7 Mar 2011 18:11:19 -0800 (PST), Rohit Sethi
> wrote:
> > Luke, I guess the real question is what's the risk of not including it
nough for their needs. Again,
please correct me if my assumptions here are wrong.
On Mar 7, 6:48 pm, Luke Plant wrote:
> On 04/03/11 21:56, Rohit Sethi wrote:
>
> > Hi all, I wanted to revisit a key security discussion. Brute force
> > attacks are the 7th most prev
Looks like we're on the same page. I agree that we need something
lightweight designed to repel brute force from a single IP. Something
designed to detect distributed attacks would require more overhead and
monitoring and probably doesn't belong in core. That said, I believe
we should think about l
Ok, we'll go ahead with researching this. Expect to hear back from us
within the next 2-3 weeks (if not this upcoming week)
Thanks,
Rohit
On Mar 5, 8:40 am, Rohit Sethi wrote:
> Hi Russell, here are my thoughts on your points:
>
> 1. I do believe there should be something enab
n Sat, Mar 5, 2011 at 5:56 AM, Rohit Sethi wrote:
> > Hi all, I wanted to revisit a key security discussion. Brute force
> > attacks are the 7th most prevalent attack by number of incidents in
> > the Web Hacking Incidents Database (http://projects.webappsec.org/w/
> > page
Hi all, I wanted to revisit a key security discussion. Brute force
attacks are the 7th most prevalent attack by number of incidents in
the Web Hacking Incidents Database (http://projects.webappsec.org/w/
page/13246995/Web-Hacking-Incident-Database), which tracks publicly
disclosed breaches in web a
Hi Jacob, just as an FYI I messaged you last week about this off list
- my email was from my first name @securitycompass.com. Just wanted to
make sure you got it
Thanks,
Rohit
On Feb 24, 6:55 am, Jacob Kaplan-Moss wrote:
> Hi Rohit --
>
> I had a skim of the document, too, and my feelings are p
; detail you've gathered on any individual item if I so choose.
>
> Either way, thank you for providing an interesting resource.
>
> All the best,
>
> - Gabriel Hurley
>
> On Feb 21, 5:09 pm, Rohit Sethi wrote:
>
>
>
>
>
>
>
> > Russell, awe
7:42 pm, Russell Keith-Magee
wrote:
> On Mon, Feb 21, 2011 at 11:21 PM, Rohit Sethi wrote:
> > Django devs, I wanted to thank you for a truly awesome framework.
> > Programming with Python, and web app dev in Django, is truly a
> > pleasure. Our company, Security Compass, uses
One more point - if any of you have questions for somebody who leaves
and breathes web application security every day, please feel free to
fire them off to me:
rohit at securitycompass.com
On Feb 21, 10:21 am, Rohit Sethi wrote:
> Django devs, I wanted to thank you for a truly awes
t
too.
Thanks in advance,
Rohit Sethi
@rksethi
--
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com.
To unsubscribe from this group, send email to
django-deve
15 matches
Mail list logo
