One can secure Django Admin through various ways that include using SSL on the website, changing the URL, using stronger passwords , etc.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform Django related tasks.
In this context, we shall look into how to secure Django admin.
How to secure Django Admin ?
Here you will see how to secure the Django Admin.
1. Use SSL
We suggest enabling SSL for the website so that the site is behind HTTPS. In case, if the website doesn’t have HTTPS, then it is possible for someone to snoop password.
2. Change the URL
By default, the admin URL is /admin/. So change it to something else. You can replace /admin/ in URL conf to something else as shown below:
urlpatterns = [
Furthermore, to provide extra security, host the admin on a different domain entirely. If we need even more security, serve the admin behind a VPN or someplace that is not public.
3. Use ‘django-admin-honeypot’
After moving the admin site to a new URL (or even decided to host it on its own domain), install the library django-admin-honeypot on the old /admin/ URL to capture attempts to hack the site. The django-admin-honeypot will generate a fake admin login screen. Then whenever someone tries to log in to the old /admin/ URL, it will email the site administrators.
The email generated by django-admin-honeypot will contain the attacker’s IP address. So for added security, if we notice repeated login attempts from the same IP address, we can block that address.
4. Require stronger passwords
Most users will choose poor passwords. Enabling password validation will ensure that the users select stronger passwords, which will in turn increase the security of their data and the data they have access to in the admin. Require strong passwords by enabling password validation.
5. Use two-factor authentication
Two-factor authentication (2FA) is also called multiple-factor authentication. It is mainly used when we require a password plus something else to authenticate a user for the site. So setting up a 2FA for Django admin would provide more security.
Here are three ways we can enable 2FA on the site:
i. 2FA with SMS, where we text a login code. This is better than requiring only a password. But SMS messages are easy to intercept.
ii. 2FA with an app like Google Authenticator. It normally generates unique login codes for any service that we register to it. In order to set up these apps, users would need to scan a QR code on the site to register the site with their app. Then the app will generate the login code that they can use to log in to the site.
iii. 2FA with YubiKey is one of the safest ways to enable 2FA on the site. In this method, users must have a physical device, a YubiKey, that they plug into a USB port when they try to log in.
The library Django-two-factor-auth can help us enable any of the above 2FA methods.
6. Use the latest version of Django
We suggest using the latest Django minor version to keep up with security updates and bugfixes. Upgrade to the newest long-term release (LTS) as soon as is feasible. However, make sure the project is upgraded before it falls out of the support page.
7. Never run `DEBUG` in production
If DEBUG is set to True in the settings file, errors will display with full tracebacks. These tracebacks normally contain information we do not want end-users to see. We might also have other settings or methods that are only enabled when in Debug mode that could pose a risk to their users and their data.
To avoid this, we suggest using different settings files for local development and for production deployment.
8. Remember the environment
The admin should explicitly state which environment we are in to keep users from accidentally deleting production data. We can achieve this using the django-admin-env-notice library. It will place a color-coded banner at the top of the Admin site.
9. Check for errors
This is not specific to the Django Admin, but still, it is a great practice to secure the app. Using python manage.py check –deploy, find for any security errors. If we run this command when we are running the project locally, we can see some warnings that will not be relevant in production.
10. Get a checkup
This is another tip that is not specific to the admin but still is a good practice. After deploying to a staging site, run the website through any online tool. This site will give us a security score and a list of things to do to improve that score. It will test the site for some of the things we have listed above, and also recommend other ways to protect the site from specific vulnerabilities and types of attacks.