A Pentester's Thoughts on Django Security
2020-09-18, 15:50–16:30 (Europe/Lisbon), Virtual

Django can make you feel like you are in security heaven and yet there are some pitfalls to avoid. In this talk, I want to praise Django design choices, give an overview of Django's security features and their limitations and conclude with some general security best practices to keep in mind.


By day, I work as a penetration tester trying to find security vulnerabilities in other people's web applications. By night, I develop my own Django-based web application and try not to make the same mistakes I see in my customer's applications. Within the last two years of working with Django, I could not stop being amazed by the security focus of the Django team.

Praise and History

In a short history lesson, I want to point out a few design choices and decisions the Django team has made over the years which make me very comfortable with using Django as a web framework because they are proof that the Django team takes security very seriously.

Django Security Features and their limitations

While it is amazing what Django does for security already out of the box, it does not replace developer awareness. I would like to give an overview of Django's security features and point out their (already known and documented) limitations especially in cases where developer's might have a false sense of "security is already taken care off".

Best Practices

Finally, I will share some security best practices which will help avoiding unnecessary pentest findings and support you with keeping your applications secure.

Pentester by day, web developer by night. After graduating as a physicist in Tübingen, Germany in 2013, Pascal started working as a penetration tester for web applications, mobile applications, and windows networks. In 2018, he started to work on his own web application. Having written a couple of Python scripts before, Pascal was happy to find Django as a Python-based web framework with a strong security focus.