TL;DR notes from articles I read today.
Common security gotchas in Python and how to avoid them
- Prevent input injections (SQL or command injections) by sanitizing input using utilities that come with your web framework, avoid constructing SQL queries manually, and use shlex module to escape input correctly.
- Avoid relying on assert statements except when communicating with other developers (such as in unit tests or to guard against incorrect API usage) because in the production environment it is common to run with optimisations and Python will skip the assert statements.
- Python’s import system is very flexible, and installing third-party packages exposes security holes. You also need to consider the dependencies of your dependencies. So vet your packages: look at PyUp.io, check package signatures, use virtual environments for all apps, and ensure your global site package is as clean as possible.
- Rather than the very powerful yaml.load, use yaml.safe_load.
- Python can have overrun or overflow vulnerabilities related to memory allocation, so always patch your runtime, even with the latest version.
Full post here, 7 mins read
HTTP headers to secure your app for the busy web developer
- Set an X-Frame-Options header to prevent someone from creating an iframe wrapper around your site to clickjack your site. Your safety options are DENY, SAMEORIGIN, and ALLOW-FROM.
- You can set X-XSS-Protection to block Reflected XSS (cross-site scripting) attacks.
- Set the X-Content-Type-Options header to force browsers to respect the server-specified file type, preventing a Javascript injection through an HTML file.
- Apply Strict Transport Security to refuse to connect as HTTP, enforcing HTTPS instead.
- Prevent hackers from reading cookies by using HttpOnly to prevent Javascript accessing cookies, blocking an XSS attacker, and by using the Secure attribute to allow cookies to transfer only over HTTPS and not HTTP.
Full post here, 4 mins read
5 ways to make HTTP requests in Node.js
- You can use the default HTTP module in the standard library. It saves you the trouble of installing external dependencies but is not as user-friendly as other solutions.
- Request is a simplified HTTP client which is more user-friendly that you can install as a dependency from npm. It is easy to use and you can support Promises with the request-promise library.
- Axios is a Promise-based client for both the browser and Node.js, good for asynchronous code and more complex uses. It parses JSON responses by default and can handle multiple concurrent requests with axios.all.
- SuperAgent, that is primarily used for Ajax requests in the browser, also works in Node.js. It offers functions like query() that you can chain on to requests to add parameters, and as with Axios, you don’t need to parse JSON responses yourself.
- Got is a more lightweight library compared to Request, etc. Got work with Promises as well.
Full post here, 4 mins read
Get these notes directly in your inbox every weekday by signing up for my newsletter, in.snippets().