It is always important to build a secure application.
Django comes with built-in security for passwords, but it doesn’t provide security for other datasets that are supposed to be secured.
If the hurdle of securing data on your Django app has stumped you and you’re looking for an answer, you have come to the right place.
In this tutorial, I will be introducing you to cryptography as a means of securing your application. In the process, we will discuss encryption and hashing and how the two relate to each other. Data, like people’s home addresses, salary, customer information, etc., should be stored securely so that they aren’t exposed in the case of a data breach. When there is a data breach, you wouldn’t want sensitive data to be exposed to other users. This is where cryptography comes in.
Data is typically transmitted from the user to the database. While it is in transit, it should be encrypted. Then, if the network is intercepted, the transmitted data will stay secure. Encryption and hashing of sensitive data is one of the easiest ways to protect critical data.
To follow this article basic understanding of Django framework is required
About Encryption, Decryption, and Cryptography
Encryption is the process of converting the original versions of data into an encoded form known as ciphertext. When this is done, only the receiver is able to decipher the ciphertext back into its original version. Therefore, encryption does not make your application secure it just converts its data into a form that can’t be understood by other people.
Decryption is the act of converting the already encrypted data. It is the exact opposite of encryption. Decryption enables you to decode the encrypted information so that an authorized user can access it with the expected secret key or password.
Cryptography is the process of protecting information by converting it so that it is only readable for the intended recipient. For example, assume a web application user wants to save their address in a database from the frontend. While the data sits in the database, it is at risk of being exposed to a user for whom it isn’t intended. Thus, it is encrypted and then decrypted when necessary. Cryptography encapsulates the concepts of both encryption and decryption.
Build Django Project
First, create a new virtual environment for the project: $ virtualenv env
Activate the virtual environment.
On MacOS and Linux, use $ source env/bin/activate.
On Windows, use $ .\env\Scripts\activate.
To install Django, run (env) $ pip install django. Then, run (env) $ django-admin startproject crypto_project to create a new project.
Now, cd into the root of your application and create an app by running (env) $ python manage.py startapp app.
Add the app you just created to settings.py.
To encrypt your data using django_cryptography, all you need to do is import encrypt from django_cryptography.fields and use it directly on each field where it is required.
In app/models.py put the code given below.
Then, add the code given below to app/admin.py to display your models on your admin page.
Encrypting Data in Database
Normally, when using Django, data is stored in human-readable format. So, the task is to encrypt the data into a format that is not human-readable. Thankfully, we don’t need to write much code since a Django project that provides that service has already been built.
In this article, we will be using django_cryptography.
To install it, just run (env)$ pip install django-cryptography.
Next, we have to create our database. On your terminal, navigate to the root of your project, where manage.py is and run (env)$ python manage.py makemigrations.
Then, run (env)$ python manage.py migrate.
Now, let’s create an admin user so that we can store some data and test out our application.
To do that, run $ python manage.py createsuperuser and fill in the necessary details.
Next, run the server with $ python manage.py runserver. Then, open the admin page on the browser using http://127.0.0.1:8000/admin/ and add some data to the models.
Now, to test whether our security protocol worked, we will use a network other than Django to view our data. In this tutorial, we will use the sqlite3 server to view our database.
To do that, on your terminal, navigate to the folder where the database is and run: $ sqlite3 db.sqlite3
Then, use .tables to see all the tables you have on the database.
Now, run select * from app_mymodel; to view all the data you have saved and you will see that the table you added cryptography to is hidden. It will display the names but not the addresses and health data. This means that our process worked. Now, no one will be able to view the users’ data in the event of a data breach.
You will notice that you are able to see the data without any issues in the Django admin. This is because django_cryptography has been built that way. The data is encrypted once saved, but it is decrypted into plaintext if you access the data with the Django server.
In this article, I briefly discussed encryption, decryption, and cryptography and how you can potentially secure your Django application using them. Encryption and decryption protect applications from sensitive data exposure, which is third in the OWASP Top 10 list. The process given above can protect sensitive data on your Django application if the wrong server, network, or person is trying to access it.
Sensitive data exposure is a very serious issue in current web apps. That is why it is third in the OWASP Top 10 list.
Hopefully, with the process and tools provided in this article, you will be able to start creating Django applications that are free of any sensitive data exposure.