I have a Django project, where, for the most part, users need to be logged in to see or do anything.
-- If an unauthenticated user guesses a page name in my project, they would get redirected to the login page, with an error message, as they should.
The project's static and media files on the other hand had no protection. If someone guesses their names (and URL), authenticated or not, they would be allowed to download them.
To fix this, I configured Nginx to mark all static and media files as Internal, and I wrote middleware that sends my Nginx server the X-Accel-Redirect header if users are authenticated. The code is here. Functionally, this seems to work great - at least in testing.
Unfortunately, when looking at my Firefox development tools, Django's Admin Logged-In page takes about 1 second to load without this middleware enabled, and about 3.5 seconds to load with this middleware enabled.
Am I doing something inefficiently in my middleware? Or is the idea of having every single request for every static resource be authorized by django, rather than quickly returned by Nginx, inherently inefficient?
What's the best practice?
- Is it to leave static files unprotected (css and js files don't normally have anything confidential), while securing /media files with X-Accel-Redirect?
- Is it to have everything unprotected, but obfuscate the filenames of the resources to make them super difficult to guess, but quick to be returned by Nginx?
- Is there no best practice? Is it done on a case-by-case basis depending on the level of confidentiality of the static/media files you are dealing with?
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7ee0735e-1266-4f51-aff6-a2d60cbd8a41%40googlegroups.com.
No comments:
Post a Comment