1

I am developing a back-end for a webpage using Django Rest Framework. The webpage will be public, and it will only fetch information from this service. Thus, I have to deploy both service and webpage.

Since the webpage is public access (without any type of login) I can avoid having to set up the SSL stuff. However, by default, the DRF comes with the browsable API and the login field. I know I can remove the browsable API, but is it enough?

For instance, the configurations I would have would be:

(removing the BrowsableAPIRenderer)

   'DEFAULT_RENDERER_CLASSES': ( 'rest_framework.renderers.JSONRenderer',
                                 'rest_framework.renderers.JSONPRenderer',
                                 'rest_framework_csv.renderers.CSVRenderer', )

and:

CORS_ORIGIN_ALLOW_ALL = True

CORS_ALLOW_METHODS = (
        'GET',
        'HEAD',
        'OPTIONS',
)

I am using https://github.com/ottoyiu/django-cors-headers for the CORS stuff.

Would this be enough to avoid unwanted login atempts? Is there any specific way to disable this option?

What 'DEFAULT_PERMISSION_CLASSES' shoul I use?

Best regards and thanks for any help!

Improve this question

1 Answer 1

Reset to default
1

If you have a login, but you don't have SSL, then your users are vulnerable to packet sniffing of credentials on many wifi and ethernet networks. Such a vulnerability can be trivially exploited with the Firesheep firefox plugin. Due to users' habit of reusing passwords, you could end up compromising their security to a more critical website. This is very unfortunate. It isn't entirely your problem if users reuse their password, but SSL should be a base layer of protection to your users.

While it is possible to use Django templates with Django Rest Framework (DRF) as the backend, you are not limited to using Django for your front-end. Consider AngularJS with DRF. Anyways, there is a significant learning curve for AngularJS, but you needn't limit yourself to having Django supply your front-end.

As far as removing the DRF BrowsableAPIRenderer, you will get some protection from "security through obscurity", but you really need to lock down your APIs through a proper permission model as an attacker can easily look at traffic generated by your front-end to your back-end and then manipulate the requests to your back-end. So, discoverability of your interface by an adversary will not be significantly reduced through getting rid of BrowsableAPIRenderer. It will only obscure back-end resources that your front-end isn't currently using and it will also make your life as a front-end dev a little more painful.

For DEFAULT_PERMISSION_CLASSES, take a gander at DRF permissions documentation. If you only have two user groups - logged in/authenticate and not logged in, then IsAuthenticatedOrReadOnly is a good place to start. If you start to have per-model permission bifurcation for different user groups, then DjangoModelPermissions is a good place to dig into.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Hello there, thanks for the reply! I am not using Django as front end, I am actually using ExtJS, and requesting data from the rest service. I was just wondering if I could remove any kind of authentication, as the service should only be used to fetch data. Since ExtJS calls are made on the client side I need to have the service available online as well.
If the service is just to fetch data, I'd do IsAuthenticatedOrReadOnly and don't provide users a way to log in. This will leave the future open to authenticated writes ( with SSL :-D) Even if it is just user meta-data like which columns to display on a table, or their "dashboard", or however you may expand the site to be user-customizable.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.