mirrors/django-components
1
0
Fork 0
mirror of https://github.com/django-components/django-components.git synced 2025-08-09 16:57:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
django-components/docs/user_guide/integration/security.md
Gabriel Dugny 95400944ec chore: working docs
2024-08-24 11:23:24 +02:00

1.7 KiB
Raw Blame History

Security notes 🚨

You are advised to read this section before using django-components in production.

Static files

Components can be organized however you prefer. That said, our prefered way is to keep the files of a component close together by bundling them in the same directory. This means that files containing backend logic, such as Python modules and HTML templates, live in the same directory as static files, e.g. JS and CSS.

If your are using [django.contrib.staticfiles][] to collect static files, no distinction is made between the different kinds of files. As a result, your Python code and templates may inadvertently become available on your static file server. You probably don't want this, as parts of your backend logic will be exposed, posing a potential security vulnerability.

As of v0.27, django-components ships with an additional installable app [django_components.safer_staticfiles][]. It is a drop-in replacement for [django.contrib.staticfiles][]. Its behavior is 100% identical except it ignores .py and .html files, meaning these will not end up on your static files server. To use it, add it to [INSTALLED_APPS][] and remove [django.contrib.staticfiles][].

INSTALLED_APPS = [
    # 'django.contrib.staticfiles',   # <-- REMOVE
    'django_components',
    'django_components.safer_staticfiles'  # <-- ADD
]

If you are on an older version of django-components, your alternatives are a) passing --ignore <pattern> options to the collecstatic CLI command, or b) defining a subclass of StaticFilesConfig. Both routes are described in the official docs of the staticfiles app.