Skip to content

Security: FairCoalitionCasesDistributionProject/Backend

Security

SECURITY.md

Security Documentation

Security Measures Implemented

1. Environment Variables

  • SECRET_KEY: Moved Django secret key to environment variable
  • Firebase Config: All Firebase credentials moved to environment variables
  • Database URL: Database connection string moved to environment variable
  • CORS Origins: Restricted CORS to specific domains

2. Input Validation & Sanitization

  • Key Sanitization: Database keys are sanitized to prevent injection attacks
  • Input Size Limits: Added 10KB limit on input data to prevent abuse
  • Type Validation: Enhanced input validation with proper type checking
  • Directory Traversal Protection: Prevents ../ and similar patterns

3. Security Headers

  • X-Content-Type-Options: Prevents MIME type sniffing
  • X-Frame-Options: Prevents clickjacking attacks
  • X-XSS-Protection: Enables browser XSS protection
  • Referrer-Policy: Controls referrer information
  • HSTS: HTTP Strict Transport Security headers

4. Rate Limiting

  • IP-based Rate Limiting: 100 requests per hour per IP
  • DRF Throttling: Additional rate limiting through Django REST Framework
  • Anonymous Rate Limit: 100 requests/hour
  • User Rate Limit: 1000 requests/hour

5. CORS Configuration

  • Restricted Origins: Only specific domains allowed
  • Credentials: CORS credentials properly configured
  • Removed Wildcard: No more CORS_ORIGIN_ALLOW_ALL = True

6. Error Handling

  • Generic Error Messages: No sensitive information in error responses
  • Proper HTTP Status Codes: Correct status codes for different error types
  • Exception Logging: Errors are logged (implement proper logging in production)

7. Authentication & Authorization

  • DRF Authentication: Session and Token authentication configured
  • Permission Classes: Default authentication required (temporarily disabled for API endpoints)
  • Password Validation: Enhanced password requirements

Deployment Checklist

Environment Variables

Create a .env file with the following variables:

# Django Settings
DJANGO_SECRET_KEY=your-secure-secret-key-here
DEBUG=False
ALLOWED_HOSTS=your-domain.com,www.your-domain.com

# CORS Settings
CORS_ALLOWED_ORIGINS=https://your-frontend-domain.com

# Database
DATABASE_URL=your-production-database-url

# Firebase Configuration
FIREBASE_API_KEY=your-firebase-api-key
FIREBASE_AUTH_DOMAIN=your-firebase-auth-domain
FIREBASE_PROJECT_ID=your-firebase-project-id
FIREBASE_STORAGE_BUCKET=your-firebase-storage-bucket
FIREBASE_MESSAGING_SENDER_ID=your-firebase-messaging-sender-id
FIREBASE_APP_ID=your-firebase-app-id
FIREBASE_DATABASE_URL=your-firebase-database-url

Production Recommendations

  1. Use HTTPS: Always use HTTPS in production
  2. Database: Use a production database (PostgreSQL recommended)
  3. Redis: Implement Redis for rate limiting in production
  4. Logging: Set up proper logging with rotation
  5. Monitoring: Implement application monitoring
  6. Backup: Regular database backups
  7. Updates: Keep dependencies updated

Security Headers

The application now includes these security headers:

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • X-XSS-Protection: 1; mode=block
  • Referrer-Policy: strict-origin-when-cross-origin
  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Rate Limiting

  • IP-based: 100 requests per hour per IP address
  • DRF Throttling: Additional rate limiting through Django REST Framework
  • Anonymous: 100 requests/hour
  • Authenticated: 1000 requests/hour

Input Validation

  • All user inputs are validated and sanitized
  • Database keys are sanitized to prevent injection
  • Input size is limited to prevent abuse
  • Type checking is enforced

Known Vulnerabilities Fixed

  1. Hardcoded Secrets: Moved to environment variables
  2. CORS Misconfiguration: Restricted to specific origins
  3. Missing Security Headers: Added comprehensive security headers
  4. No Rate Limiting: Implemented rate limiting
  5. Input Injection: Added input sanitization
  6. Error Information Disclosure: Generic error messages
  7. Directory Traversal: Protected against path traversal attacks

Monitoring & Maintenance

Regular Tasks

  1. Dependency Updates: Run pip list --outdated and update packages
  2. Security Audits: Regular security assessments
  3. Log Review: Monitor application logs for suspicious activity
  4. Backup Verification: Test backup restoration procedures

Security Tools

Consider implementing:

  • Django Security: python manage.py check --deploy
  • Bandit: Python security linter
  • Safety: Check for known security vulnerabilities
  • OWASP ZAP: Web application security scanner

Emergency Response

If Compromised

  1. Immediate Actions:

    • Change all API keys and secrets
    • Review logs for unauthorized access
    • Check for data exfiltration
    • Update all passwords

  2. Investigation:

    • Preserve logs and evidence
    • Identify attack vector
    • Assess impact

  3. Recovery:

    • Restore from clean backup
    • Implement additional security measures
    • Monitor for repeat attacks

Contact

For security issues, please contact the development team immediately.

There aren’t any published security advisories