product iamge

Full Stack Python Security: Cryptography, TLS, and attack resistance

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Download
Search on Amazon

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Full Stack Python Security teaches you everything you’ll need to build secure Python web applications. Summary In Full Stack Python Security: Cryptography, TLS, and attack resistance, you’ll learn how to: • Use algorithms to encrypt, hash, and digitally sign data • Create and install TLS certificates • Implement authentication, authorization, OAuth 2.0, and form validation in Django • Protect a web application with Content Security Policy • Implement Cross Origin Resource Sharing • Protect against common attacks including clickjacking, denial of service attacks, SQL injection, cross-site scripting, and more Full Stack Python Security: Cryptography, TLS, and attack resistance teaches you everything you’ll need to build secure Python web applications. As you work through the insightful code snippets and engaging examples, you’ll put security standards, best practices, and more into action. Along the way, you’ll get exposure to important libraries and tools in the Python ecosystem. About the technology Security is a full-stack concern, encompassing user interfaces, APIs, web servers, network infrastructure, and everything in between. Master the powerful libraries, frameworks, and tools in the Python ecosystem and you can protect your systems top to bottom. Packed with realistic examples, lucid illustrations, and working code, this book shows you exactly how to secure Python-based web applications. About the book Full Stack Python Security: Cryptography, TLS, and attack resistance teaches you everything you need to secure Python and Django-based web apps. In it, seasoned security pro Dennis Byrne demystifies complex security terms and algorithms. Starting with a clear review of cryptographic foundations, you’ll learn how to implement layers of defense, secure user authentication and third-party access, and protect your applications against common hacks. What's inside • Encrypt, hash, and digitally sign data • Create and install TLS certificates • Implement authentication, authorization, OAuth 2.0, and form validation in Django • Protect against attacks such as clickjacking, cross-site scripting, and SQL injection About the reader For intermediate Python programmers. About the author Dennis Byrne is a tech lead for 23andMe, where he protects the genetic data of more than 10 million customers.

Author(s): Dennis Byrne
Edition: 1
Publisher: Manning
Year: 2021

Language: English
Commentary: Publisher's PDF
Pages: 306
City: Shelter Island, NY
Tags: Security; Python; Web Applications; Filesystems; HTTP; Cryptography; Best Practices; Hash Functions; Public-Key Cryptography; Django; YAML; XML; Hashing; XSS; Password Management; Private-Key Cryptography; Denial of Service; Package Management; Cross-Site Request Forgery; Open Redirect; Full-Stack Development; TLS

Full Stack Python Security
contents
preface
acknowledgments
about this book
Who should read this book
How this book is organized: A roadmap
About the code
liveBook discussion forum
about the author
about the cover illustration
1 Defense in depth
1.1 Attack surface
1.2 Defense in depth
1.2.1 Security standards
1.2.2 Best practices
1.2.3 Security fundamentals
1.3 Tools
1.3.1 Staying practical
Summary
Part 1 Cryptographic foundations
2 Hashing
2.1 What is a hash function?
2.1.1 Cryptographic hash function properties
2.2 Archetypal characters
2.3 Data integrity
2.4 Choosing a cryptographic hash function
2.4.1 Which hash functions are safe?
2.4.2 Which hash functions are unsafe?
2.5 Cryptographic hashing in Python
2.6 Checksum functions
Summary
3 Keyed hashing
3.1 Data authentication
3.1.1 Key generation
3.1.2 Keyed hashing
3.2 HMAC functions
3.2.1 Data authentication between parties
3.3 Timing attacks
Summary
4 Symmetric encryption
4.1 What is encryption?
4.1.1 Package management
4.2 The cryptography package
4.2.1 Hazardous materials layer
4.2.2 Recipes layer
4.2.3 Key rotation
4.3 Symmetric encryption
4.3.1 Block ciphers
4.3.2 Stream ciphers
4.3.3 Encryption modes
Summary
5 Asymmetric encryption
5.1 Key-distribution problem
5.2 Asymmetric encryption
5.2.1 RSA public-key encryption
5.3 Nonrepudiation
5.3.1 Digital signatures
5.3.2 RSA digital signatures
5.3.3 RSA digital signature verification
5.3.4 Elliptic-curve digital signatures
Summary
6 Transport Layer Security
6.1 SSL? TLS? HTTPS?
6.2 Man-in-the-middle attack
6.3 The TLS handshake
6.3.1 Cipher suite negotiation
6.3.2 Key exchange
6.3.3 Server authentication
6.4 HTTP with Django
6.4.1 The DEBUG setting
6.5 HTTPS with Gunicorn
6.5.1 Self-signed public-key certificates
6.5.2 The Strict-Transport-Security response header
6.5.3 HTTPS redirects
6.6 TLS and the requests package
6.7 TLS and database connections
6.8 TLS and email
6.8.1 Implicit TLS
6.8.2 Email client authentication
6.8.3 SMTP authentication credentials
Summary
Part 2 Authentication and authorization
7 HTTP session management
7.1 What are HTTP sessions?
7.2 HTTP cookies
7.2.1 Secure directive
7.2.2 Domain directive
7.2.3 Max-Age directive
7.2.4 Browser-length sessions
7.2.5 Setting cookies programmatically
7.3 Session-state persistence
7.3.1 The session serializer
7.3.2 Simple cache-based sessions
7.3.3 Write-through cache-based sessions
7.3.4 Database-based session engine
7.3.5 File-based session engine
7.3.6 Cookie-based session engine
Summary
8 User authentication
8.1 User registration
8.1.1 Templates
8.1.2 Bob registers his account
8.2 User authentication
8.2.1 Built-in Django views
8.2.2 Creating a Django app
8.2.3 Bob logs into and out of his account
8.3 Requiring authentication concisely
8.4 Testing authentication
Summary
9 User password management
9.1 Password-change workflow
9.1.1 Custom password validation
9.2 Password storage
9.2.1 Salted hashing
9.2.2 Key derivation functions
9.3 Configuring password hashing
9.3.1 Native password hashers
9.3.2 Custom password hashers
9.3.3 Argon2 password hashing
9.3.4 Migrating password hashers
9.4 Password-reset workflow
Summary
10 Authorization
10.1 Application-level authorization
10.1.1 Permissions
10.1.2 User and group administration
10.2 Enforcing authorization
10.2.1 The low-level hard way
10.2.2 The high-level easy way
10.2.3 Conditional rendering
10.2.4 Testing authorization
10.3 Antipatterns and best practices
Summary
11 OAuth 2
11.1 Grant types
11.1.1 Authorization code flow
11.2 Bob authorizes Charlie
11.2.1 Requesting authorization
11.2.2 Granting authorization
11.2.3 Token exchange
11.2.4 Accessing protected resources
11.3 Django OAuth Toolkit
11.3.1 Authorization server responsibilities
11.3.2 Resource server responsibilities
11.4 requests-oauthlib
11.4.1 OAuth client responsibilities
Summary
Part 3 Attack resistance
12 Working with the operating system
12.1 Filesystem-level authorization
12.1.1 Asking for permission
12.1.2 Working with temp files
12.1.3 Working with filesystem permissions
12.2 Invoking external executables
12.2.1 Bypassing the shell with internal APIs
12.2.2 Using the subprocess module
Summary
13 Never trust input
13.1 Package management with Pipenv
13.2 YAML remote code execution
13.3 XML entity expansion
13.3.1 Quadratic blowup attack
13.3.2 Billion laughs attack
13.4 Denial of service
13.5 Host header attacks
13.6 Open redirect attacks
13.7 SQL injection
13.7.1 Raw SQL queries
13.7.2 Database connection queries
Summary
14 Cross-site scripting attacks
14.1 What is XSS?
14.1.1 Persistent XSS
14.1.2 Reflected XSS
14.1.3 DOM-based XSS
14.2 Input validation
14.2.1 Django form validation
14.3 Escaping output
14.3.1 Built-in rendering utilities
14.3.2 HTML attribute quoting
14.4 HTTP response headers
14.4.1 Disable JavaScript access to cookies
14.4.2 Disable MIME type sniffing
14.4.3 The X-XSS-Protection header
Summary
15 Content Security Policy
15.1 Composing a content security policy
15.1.1 Fetch directives
15.1.2 Navigation and document directives
15.2 Deploying a policy with django-csp
15.3 Using individualized policies
15.4 Reporting CSP violations
15.5 Content Security Policy Level 3
Summary
16 Cross-site request forgery
16.1 What is request forgery?
16.2 Session ID management
16.3 State-management conventions
16.3.1 HTTP method validation
16.4 Referer header validation
16.4.1 Referrer-Policy response header
16.5 CSRF tokens
16.5.1 POST requests
16.5.2 Other unsafe request methods
Summary
17 Cross-Origin Resource Sharing
17.1 Same-origin policy
17.2 Simple CORS requests
17.2.1 Cross-origin asynchronous requests
17.3 CORS with django-cors-headers
17.3.1 Configuring Access-Control-Allow-Origin
17.4 Preflight CORS requests
17.4.1 Sending the preflight request
17.4.2 Sending the preflight response
17.5 Sending cookies across origins
17.6 CORS and CSRF resistance
Summary
18 Clickjacking
18.1 The X-Frame-Options header
18.1.1 Individualized responses
18.2 The Content-Security-Policy header
18.2.1 X-Frame-Options versus CSP
18.3 Keeping up with Mallory
Summary
index
Numerics
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Full Stack Python Security - back