Full stack Python security : cryptography, TLS, and attack resistance

Full Stack Python Security teaches you everything you’ll need to build secure Python web applications. Summary In Full Stack Python Security: Cryptography, TLS, and attack resistance, you’ll learn how to: • Use algorithms to encrypt, hash, and digitally sign data • Create and install TLS certificates • Implement authentication, authorization, OAuth 2.0, and form validation in Django • Protect a web application with Content Security Policy • Implement Cross Origin Resource Sharing • Protect against common attacks including clickjacking, denial of service attacks, SQL injection, cross-site scripting, and more Full Stack Python Security: Cryptography, TLS, and attack resistance teaches you everything you’ll need to build secure Python web applications. As you work through the insightful code snippets and engaging examples, you’ll put security standards, best practices, and more into action. Along the way, you’ll get exposure to important libraries and tools in the Python ecosystem. About the technology Security is a full-stack concern, encompassing user interfaces, APIs, web servers, network infrastructure, and everything in between. Master the powerful libraries, frameworks, and tools in the Python ecosystem and you can protect your systems top to bottom. Packed with realistic examples, lucid illustrations, and working code, this book shows you exactly how to secure Python-based web applications. About the book Full Stack Python Security: Cryptography, TLS, and attack resistance teaches you everything you need to secure Python and Django-based web apps. In it, seasoned security pro Dennis Byrne demystifies complex security terms and algorithms. Starting with a clear review of cryptographic foundations, you’ll learn how to implement layers of defense, secure user authentication and third-party access, and protect your applications against common hacks. What's inside • Encrypt, hash, and digitally sign data • Create and install TLS certificates • Implement authentication, authorization, OAuth 2.0, and form validation in Django • Protect against attacks such as clickjacking, cross-site scripting, and SQL injection About the reader For intermediate Python programmers. About the author Dennis Byrne is a tech lead for 23andMe, where he protects the genetic data of more than 10 million customers. Full Stack Python Security contents preface acknowledgments about this book Who should read this book How this book is organized: A roadmap About the code liveBook discussion forum about the author about the cover illustration 1 Defense in depth 1.1 Attack surface 1.2 Defense in depth 1.2.1 Security standards 1.2.2 Best practices 1.2.3 Security fundamentals 1.3 Tools 1.3.1 Staying practical Summary Part 1 Cryptographic foundations 2 Hashing 2.1 What is a hash function? 2.1.1 Cryptographic hash function properties 2.2 Archetypal characters 2.3 Data integrity 2.4 Choosing a cryptographic hash function 2.4.1 Which hash functions are safe? 2.4.2 Which hash functions are unsafe? 2.5 Cryptographic hashing in Python 2.6 Checksum functions Summary 3 Keyed hashing 3.1 Data authentication 3.1.1 Key generation 3.1.2 Keyed hashing 3.2 HMAC functions 3.2.1 Data authentication between parties 3.3 Timing attacks Summary 4 Symmetric encryption 4.1 What is encryption? 4.1.1 Package management 4.2 The cryptography package 4.2.1 Hazardous materials layer 4.2.2 Recipes layer 4.2.3 Key rotation 4.3 Symmetric encryption 4.3.1 Block ciphers 4.3.2 Stream ciphers 4.3.3 Encryption modes Summary 5 Asymmetric encryption 5.1 Key-distribution problem 5.2 Asymmetric encryption 5.2.1 RSA public-key encryption 5.3 Nonrepudiation 5.3.1 Digital signatures 5.3.2 RSA digital signatures 5.3.3 RSA digital signature verification 5.3.4 Elliptic-curve digital signatures Summary 6 Transport Layer Security 6.1 SSL? TLS? HTTPS? 6.2 Man-in-the-middle attack 6.3 The TLS handshake 6.3.1 Cipher suite negotiation 6.3.2 Key exchange 6.3.3 Server authentication 6.4 HTTP with Django 6.4.1 The DEBUG setting 6.5 HTTPS with Gunicorn 6.5.1 Self-signed public-key certificates 6.5.2 The Strict-Transport-Security response header 6.5.3 HTTPS redirects 6.6 TLS and the requests package 6.7 TLS and database connections 6.8 TLS and email 6.8.1 Implicit TLS 6.8.2 Email client authentication 6.8.3 SMTP authentication credentials Summary Part 2 Authentication and authorization 7 HTTP session management 7.1 What are HTTP sessions? 7.2 HTTP cookies 7.2.1 Secure directive 7.2.2 Domain directive 7.2.3 Max-Age directive 7.2.4 Browser-length sessions 7.2.5 Setting cookies programmatically 7.3 Session-state persistence 7.3.1 The session serializer 7.3.2 Simple cache-based sessions 7.3.3 Write-through cache-based sessions 7.3.4 Database-based session engine 7.3.5 File-based session engine 7.3.6 Cookie-based session engine Summary 8 User authentication 8.1 User registration 8.1.1 Templates 8.1.2 Bob registers his account 8.2 User authentication 8.2.1 Built-in Django views 8.2.2 Creating a Django app 8.2.3 Bob logs into and out of his account 8.3 Requiring authentication concisely 8.4 Testing authentication Summary 9 User password management 9.1 Password-change workflow 9.1.1 Custom password validation 9.2 Password storage 9.2.1 Salted hashing 9.2.2 Key derivation functions 9.3 Configuring password hashing 9.3.1 Native password hashers 9.3.2 Custom password hashers 9.3.3 Argon2 password hashing 9.3.4 Migrating password hashers 9.4 Password-reset workflow Summary 10 Authorization 10.1 Application-level authorization 10.1.1 Permissions 10.1.2 User and group administration 10.2 Enforcing authorization 10.2.1 The low-level hard way 10.2.2 The high-level easy way 10.2.3 Conditional rendering 10.2.4 Testing authorization 10.3 Antipatterns and best practices Summary 11 OAuth 2 11.1 Grant types 11.1.1 Authorization code flow 11.2 Bob authorizes Charlie 11.2.1 Requesting authorization 11.2.2 Granting authorization 11.2.3 Token exchange 11.2.4 Accessing protected resources 11.3 Django OAuth Toolkit 11.3.1 Authorization server responsibilities 11.3.2 Resource server responsibilities 11.4 requests-oauthlib 11.4.1 OAuth client responsibilities Summary Part 3 Attack resistance 12 Working with the operating system 12.1 Filesystem-level authorization 12.1.1 Asking for permission 12.1.2 Working with temp files 12.1.3 Working with filesystem permissions 12.2 Invoking external executables 12.2.1 Bypassing the shell with internal APIs 12.2.2 Using the subprocess module Summary 13 Never trust input 13.1 Package management with Pipenv 13.2 YAML remote code execution 13.3 XML entity expansion 13.3.1 Quadratic blowup attack 13.3.2 Billion laughs attack 13.4 Denial of service 13.5 Host header attacks 13.6 Open redirect attacks 13.7 SQL injection 13.7.1 Raw SQL queries 13.7.2 Database connection queries Summary 14 Cross-site scripting attacks 14.1 What is XSS? 14.1.1 Persistent XSS 14.1.2 Reflected XSS 14.1.3 DOM-based XSS 14.2 Input validation 14.2.1 Django form validation 14.3 Escaping output 14.3.1 Built-in rendering utilities 14.3.2 HTML attribute quoting 14.4 HTTP response headers 14.4.1 Disable JavaScript access to cookies 14.4.2 Disable MIME type sniffing 14.4.3 The X-XSS-Protection header Summary 15 Content Security Policy 15.1 Composing a content security policy 15.1.1 Fetch directives 15.1.2 Navigation and document directives 15.2 Deploying a policy with django-csp 15.3 Using individualized policies 15.4 Reporting CSP violations 15.5 Content Security Policy Level 3 Summary 16 Cross-site request forgery 16.1 What is request forgery? 16.2 Session ID management 16.3 State-management conventions 16.3.1 HTTP method validation 16.4 Referer header validation 16.4.1 Referrer-Policy response header 16.5 CSRF tokens 16.5.1 POST requests 16.5.2 Other unsafe request methods Summary 17 Cross-Origin Resource Sharing 17.1 Same-origin policy 17.2 Simple CORS requests 17.2.1 Cross-origin asynchronous requests 17.3 CORS with django-cors-headers 17.3.1 Configuring Access-Control-Allow-Origin 17.4 Preflight CORS requests 17.4.1 Sending the preflight request 17.4.2 Sending the preflight response 17.5 Sending cookies across origins 17.6 CORS and CSRF resistance Summary 18 Clickjacking 18.1 The X-Frame-Options header 18.1.1 Individualized responses 18.2 The Content-Security-Policy header 18.2.1 X-Frame-Options versus CSP 18.3 Keeping up with Mallory Summary index Numerics A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Full Stack Python Security - back Full Stack Python Security teaches you everything youll need to build secure Python web applications. Summary In Full Stack Python Cryptography, TLS, and attack resistance , youll learn how Use algorithms to encrypt, hash, and digitally sign data Create and install TLS certificates Implement authentication, authorization, OAuth 2.0, and form validation in Django Protect a web application with Content Security Policy Implement Cross Origin Resource Sharing Protect against common attacks including clickjacking, denial of service attacks, SQL injection, cross-site scripting, and more Full Stack Python Cryptography, TLS, and attack resistance teaches you everything youll need to build secure Python web applications. As you work through the insightful code snippets and engaging examples, youll put security standards, best practices, and more into action. Along the way, youll get exposure to important libraries and tools in the Python ecosystem. Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications. About the technology Security is a full-stack concern, encompassing user interfaces, APIs, web servers, network infrastructure, and everything in between. Master the powerful libraries, frameworks, and tools in the Python ecosystem and you can protect your systems top to bottom. Packed with realistic examples, lucid illustrations, and working code, this book shows you exactly how to secure Python-based web applications. About the book Full Stack Python Cryptography, TLS, and attack resistance teaches you everything you need to secure Python and Django-based web apps. In it, seasoned security pro Dennis Byrne demystifies complex security terms and algorithms. Starting with a clear review of cryptographic foundations, youll learn how to implement layers of defense, secure user authentication and third-party access, and protect your applications against common hacks. What's inside Encrypt, hash, and digitally sign data Create and install TLS certificates Implement authentication, authorization, OAuth 2.0, and form validation in Django Protect against attacks such as clickjacking, cross-site scripting, and SQL injection About the reader For intermediate Python programmers. About the author Dennis Byrne is a tech lead for 23andMe, where he protects the genetic data of more than 10 million customers. Table of Contents 1 Defense in depth PART 1 - CRYPTOGRAPHIC FOUNDATIONS 2 Hashing 3 Keyed hashing 4 Symmetric encryption 5 Asymmetric encryption 6 Transport Layer Security PART 2 - AUTHENTICATION AND AUTHORIZATION 7 HTTP session management 8 User authentication 9 User password management 10 Authorization 11 OAuth 2 PART 3 - ATTACK RESISTANCE 12 Working with the operating system 13 Never trust input 14 Cross-site scripting attacks 15 Content Security Policy 16 Cross-site request forgery 17 Cross-Origin Resource Sharing 18 Clickjacking No-nonsense techniques, libraries, and best practices you can use to keep your Python applications safe and secure.In Full Stack Python Security: Cryptography, TLS, and attack resistance, you’ll learn how to:• Use algorithms to encrypt, hash, and digitally sign data• Create and install TLS certificates• Implement authentication, authorization, OAuth 2.0, and form validation in Django• Protect a web application with Content Security Policy• Implement Cross Origin Resource Sharing• Protect against common attacks including clickjacking, denial of service attacks, SQL injection, cross-site scripting, and moreFull Stack Python Security: Cryptography, TLS, and attack resistance teaches you everything you’ll need to build secure Python web applications. As you work through the insightful code snippets and engaging examples, you’ll put security standards, best practices, and more into action. Along the way, you’ll get exposure to important libraries and tools in the Python ecosystem.about the technologySecurity is a full-stack concern, encompassing user interfaces, APIs, web servers, network infrastructure, and everything in between. Master the powerful libraries, frameworks, and tools in the Python ecosystem and you can protect your systems top to bottom. Packed with realistic examples, lucid illustrations, and working code, this book shows you exactly how to secure Python-based web applications.about the bookFull Stack Python Security: Cryptography, TLS, and attack resistance teaches you everything you need to secure Python and Django-based web apps. In it, seasoned security pro Dennis Byrne demystifies complex security terms and algorithms. Starting with a clear review of cryptographic foundations, you’ll learn how to implement layers of defense, secure user authentication and third-party access, and protect your applications against common hacks.what's inside• Encrypt, hash, and digitally sign data• Create and install TLS certificates• Implement authentication, authorization, OAuth 2.0, and form validation in Django• Protect against attacks such as clickjacking, cross-site scripting, and SQL injectionabout the readerFor intermediate Python programmers.about the authorDennis Byrne is a tech lead for 23andMe, where he protects the genetic data of more than 10 million customers. Security is a full-stack concern, encompassing user interfaces, APIs, web servers, network infrastructure, and everything in between. Master the powerful libraries, frameworks, and tools in the Python ecosystem and you can protect your systems top to bottom. Packed with realistic examples, lucid illustrations, and working code, this book shows you exactly how to secure Python-based web applications. Full stack Python security : cryptography, TLS, and attack resistance teaches you everything you need to secure Python and Django-based web apps. In it, seasoned security pro Dennis Byrne demystifies complex security terms and algorithms. Starting with a clear review of cryptographic foundations, you'll learn how to implement layers of defense, secure user authentication and third-party access, and protect your applications against common hacks.-- Source other than the Library of Congress