A collection of Django security-related tools and topics. If you are concerned about security and use django for productivity, this can be of help.

If you'd like to contribute to this list, simply open a PR with your additions.

Maintained by @tcostam. If you have contributions but don't have the time, give me a shout at twitter

• Libs
  • MFA
  • Session Management
  • Permissions Management
  • Honeypots
  • Cryptography
  • Storage
  • Other
• Tools
• Vulnerabilities
• Guidelines
• Documentation
• Courses
• Talks
• Articles

• Django Secure Auth: Secure authentication by TOTP, SMS, Codes & Question. Login protected by IP ranges and with captcha
• Django MFA2: A Django app that handles MFA, it supports TOTP, U2F, FIDO2 U2F (Webauthn), Email Token and Trusted Devices
• Django Two Factor Auth: Django Two Factor Auth: Complete Two-Factor Authentication for Django providing the easiest integration into most Django projects

• Django Defender: A simple super fast django reusable app that blocks people from brute forcing login attempts
• Django Axes: Keep track of failed login attempts in Django-powered sites
• Django Registration: django-registration is an extensible application providing user registration functionality for Django-powered Web sites
• Django Session Activity: List recent account activity and sign-out from all sessions opened on other computers
• Django Restricted Sessions: Restrict Django sessions to IP and/or user agent
• Django Ratelimit Backend: Rate-limit your login attempts at the authentication backend level
• Django Session Security: Django Session Security: user's page activity monitoring for logging him out
• Django Simple Captcha

• DjangoRestFramework Api Key: API key permissions for the Django REST Framework
• Django Rules: flexible and scalable Django authorization backend for unified per object permission management
• Django Rules: provides object-level permissions to Django, without requiring a database
• Django Role Permissions: A django app for role based permissions
• Dry Rest Permissions: Dry Rest Permissions: Rules based permissions for the Django Rest Framework
• Django Guardian: implementation of per-object permissions on top of Django's authorization backend.
• Django Authority: A Django app that provides generic per-object-permissions for Django's auth app and helpers to create custom permission checks
• Django Permission: An enhanced permission system which support object permission in Django
• Django Rulez: A lean and mean object-level rules system for the Django framework

• Django Admin Honeypot: django-admin-honeypot is a fake Django admin login screen to log and notify admins of attempted unauthorized access
• Django Honeypot: Django Honeypot: Generic honeypot utilities for use in django projects

• Django Cryptography: Easily encrypt data in Django

• Django Safe Filefield: Secure file field, which allows you to restrict uploaded file extensions
• Django Random Filestorage: Django storage class that assigns random filenames to all stored files

• Django Security: A collection of models, views, middlewares, and forms to help secure a Django project.
• Django Sudo: Extra security for your sensitive pages
• Django Impersonate: Simple app to allow superusers to login as other (non-superuser) accounts via a quick user switch process
• Wemake Django Template: Bleeding edge django template focused on code quality and security
• Django SSLify: Force SSL on your Django site
• Django Stronghold: Make all your Django views default login_required
• Django Lockdown: Django Lockdown: Lock down a Django site or individual views, with configurable preview authorization
• Impostor: Django app that enables staff to log in as other users using their own credentials
• Django Primate: A Modular Django User
• Django HTML Sanitizer: A set of HTML input sanitization or cleaning utilities for django models, forms and templates
• Django Rules Light: This is a simple alternative to django-rules. The core difference is that it uses as registry that can be modified on runtime, instead of database models.
• Django Inspectional Registration: Django registration app with Inspection before activation
• Django Mongo Auth: Django authentication based on an extensible MongoEngine user class
• HTML Sanitizer: Allowlist-based HTML cleaner
• Bleach: Bleach is an allowed-list-based HTML sanitizing library that escapes or strips markup and attributes

• Django Trawler: This app is used to send out phishing emails and collect data on which recipients acted on them
• Pony Checkup: basic automated security checkup for Django websites
• SSL Checker: diagnose problems with your SSL certificate installation
• Safety: check your dependencies for known security vulnerabilities
• Mozilla Observatory: The Mozilla Observatory is a set of tools to analyze your website and inform you if you are utilizing the many available methods to secure it.
• Snyk: CLI and build-time tool to find & fix known vulnerabilities in open-source dependencies

• Django Debreach: Basic/extra mitigation against the BREACH attack for Django projects
• Django CVEs
• Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)

• Django Security Tips: Learn and promote secure system administration tips and practices in the Django community
• OWASP Python Security Project

• Django Docs: Security in Django
• Django Packages: Security
• Deployment checklist
• Mozilla's tutorial on Django web application security

• Learn the secrets to defensive programming in Python and Django

• Terri Oda - Python Security Tools - PyCon 2019

• What You Need to Know to Manage Users in Django Admin
• MDN - Django web application security
• Protect Your Django Web Application From Security Threats
• 10 tips for making the Django Admin more secure
• Tips and Tools for Securing Django
• Django in the wild: tips for deployment survival
• Django Web Application Security
• Django in the real world