Full Stack Python Security

Name: Full Stack Python Security | Cryptography, TLS, and attack resistance
Brand: Manning
Price: 49.44 EUR
Availability: OnlineOnly

Cryptography, TLS, and attack resistance

Dennis Byrne(Author)

Manning (Publisher)

1st Edition

Published on 24. August 2021

304 pages

E-Book

ePUB with Adobe-DRM

System requirements

978-1-63835-716-2 (ISBN)

€49.44incl. 7% vat

System requirements

for ePUB with Adobe-DRM

E-Book Single Licence

Available for download

Description

Alles über E-Books | Antworten auf Fragen rund um E-Books, Kopierschutz und Dateiformate finden Sie in unserem Info- & Hilfebereich.

Alles über E-Books, Kopierschutz & Dateiformate finden Sie in unserem Info- & Hilfebereich.

Full Stack Python Security teaches you everything you'll need to build secure Python web applications.

Summary
In Full Stack Python Security: Cryptography, TLS, and attack resistance, you'll learn how to:

Use algorithms to encrypt, hash, and digitally sign data
Create and install TLS certificates
Implement authentication, authorization, OAuth 2.0, and form validation in Django
Protect a web application with Content Security Policy
Implement Cross Origin Resource Sharing
Protect against common attacks including clickjacking, denial of service attacks, SQL injection, cross-site scripting, and more

Full Stack Python Security: Cryptography, TLS, and attack resistance teaches you everything you'll need to build secure Python web applications. As you work through the insightful code snippets and engaging examples, you'll put security standards, best practices, and more into action. Along the way, you'll get exposure to important libraries and tools in the Python ecosystem.

Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.

About the technology
Security is a full-stack concern, encompassing user interfaces, APIs, web servers, network infrastructure, and everything in between. Master the powerful libraries, frameworks, and tools in the Python ecosystem and you can protect your systems top to bottom. Packed with realistic examples, lucid illustrations, and working code, this book shows you exactly how to secure Python-based web applications.

About the book
Full Stack Python Security: Cryptography, TLS, and attack resistance teaches you everything you need to secure Python and Django-based web apps. In it, seasoned security pro Dennis Byrne demystifies complex security terms and algorithms. Starting with a clear review of cryptographic foundations, you'll learn how to implement layers of defense, secure user authentication and third-party access, and protect your applications against common hacks.

What's inside

Encrypt, hash, and digitally sign data
Create and install TLS certificates
Implement authentication, authorization, OAuth 2.0, and form validation in Django
Protect against attacks such as clickjacking, cross-site scripting, and SQL injection

About the reader
For intermediate Python programmers.

About the author
Dennis Byrne is a tech lead for 23andMe, where he protects the genetic data of more than 10 million customers.

Table of Contents
1 Defense in depth
PART 1 - CRYPTOGRAPHIC FOUNDATIONS
2 Hashing
3 Keyed hashing
4 Symmetric encryption
5 Asymmetric encryption
6 Transport Layer Security
PART 2 - AUTHENTICATION AND AUTHORIZATION
7 HTTP session management
8 User authentication
9 User password management
10 Authorization
11 OAuth 2
PART 3 - ATTACK RESISTANCE
12 Working with the operating system
13 Never trust input
14 Cross-site scripting attacks
15 Content Security Policy
16 Cross-site request forgery
17 Cross-Origin Resource Sharing
18 Clickjacking

More details

Person

Content

Intro
Full Stack Python Security
Copyright
contents
front matter
preface
acknowledgments
about this book
Who should read this book
How this book is organized: A roadmap
About the code
liveBook discussion forum
about the author
about the cover illustration
1 Defense in depth
1.1 Attack surface
1.2 Defense in depth
1.2.1 Security standards
1.2.2 Best practices
1.2.3 Security fundamentals
1.3 Tools
1.3.1 Staying practical
Summary
Part 1 Cryptographic foundations
2 Hashing
2.1 What is a hash function?
2.1.1 Cryptographic hash function properties
2.2 Archetypal characters
2.3 Data integrity
2.4 Choosing a cryptographic hash function
2.4.1 Which hash functions are safe?
2.4.2 Which hash functions are unsafe?
2.5 Cryptographic hashing in Python
2.6 Checksum functions
Summary
3 Keyed hashing
3.1 Data authentication
3.1.1 Key generation
3.1.2 Keyed hashing
3.2 HMAC functions
3.2.1 Data authentication between parties
3.3 Timing attacks
Summary
4 Symmetric encryption
4.1 What is encryption?
4.1.1 Package management
4.2 The cryptography package
4.2.1 Hazardous materials layer
4.2.2 Recipes layer
4.2.3 Key rotation
4.3 Symmetric encryption
4.3.1 Block ciphers
4.3.2 Stream ciphers
4.3.3 Encryption modes
Summary
5 Asymmetric encryption
5.1 Key-distribution problem
5.2 Asymmetric encryption
5.2.1 RSA public-key encryption
5.3 Nonrepudiation
5.3.1 Digital signatures
5.3.2 RSA digital signatures
5.3.3 RSA digital signature verification
5.3.4 Elliptic-curve digital signatures
Summary
6 Transport Layer Security
6.1 SSL? TLS? HTTPS?
6.2 Man-in-the-middle attack
6.3 The TLS handshake
6.3.1 Cipher suite negotiation
6.3.2 Key exchange
6.3.3 Server authentication
6.4 HTTP with Django
6.4.1 The DEBUG setting
6.5 HTTPS with Gunicorn
6.5.1 Self-signed public-key certificates
6.5.2 The Strict-Transport-Security response header
6.5.3 HTTPS redirects
6.6 TLS and the requests package
6.7 TLS and database connections
6.8 TLS and email
6.8.1 Implicit TLS
6.8.2 Email client authentication
6.8.3 SMTP authentication credentials
Summary
Part 2 Authentication and authorization
7 HTTP session management
7.1 What are HTTP sessions?
7.2 HTTP cookies
7.2.1 Secure directive
7.2.2 Domain directive
7.2.3 Max-Age directive
7.2.4 Browser-length sessions
7.2.5 Setting cookies programmatically
7.3 Session-state persistence
7.3.1 The session serializer
7.3.2 Simple cache-based sessions
7.3.3 Write-through cache-based sessions
7.3.4 Database-based session engine
7.3.5 File-based session engine
7.3.6 Cookie-based session engine
Summary
8 User authentication
8.1 User registration
8.1.1 Templates
8.1.2 Bob registers his account
8.2 User authentication
8.2.1 Built-in Django views
8.2.2 Creating a Django app
8.2.3 Bob logs into and out of his account
8.3 Requiring authentication concisely
8.4 Testing authentication
Summary
9 User password management
9.1 Password-change workflow
9.1.1 Custom password validation
9.2 Password storage
9.2.1 Salted hashing
9.2.2 Key derivation functions
9.3 Configuring password hashing
9.3.1 Native password hashers
9.3.2 Custom password hashers
9.3.3 Argon2 password hashing
9.3.4 Migrating password hashers
9.4 Password-reset workflow
Summary
10 Authorization
10.1 Application-level authorization
10.1.1 Permissions
10.1.2 User and group administration
10.2 Enforcing authorization
10.2.1 The low-level hard way
10.2.2 The high-level easy way
10.2.3 Conditional rendering
10.2.4 Testing authorization
10.3 Antipatterns and best practices
Summary
11 OAuth 2
11.1 Grant types
11.1.1 Authorization code flow
11.2 Bob authorizes Charlie
11.2.1 Requesting authorization
11.2.2 Granting authorization
11.2.3 Token exchange
11.2.4 Accessing protected resources
11.3 Django OAuth Toolkit
11.3.1 Authorization server responsibilities
11.3.2 Resource server responsibilities
11.4 requests-oauthlib
11.4.1 OAuth client responsibilities
Summary
Part 3 Attack resistance
12 Working with the operating system
12.1 Filesystem-level authorization
12.1.1 Asking for permission
12.1.2 Working with temp files
12.1.3 Working with filesystem permissions
12.2 Invoking external executables
12.2.1 Bypassing the shell with internal APIs
12.2.2 Using the subprocess module
Summary
13 Never trust input
13.1 Package management with Pipenv
13.2 YAML remote code execution
13.3 XML entity expansion
13.3.1 Quadratic blowup attack
13.3.2 Billion laughs attack
13.4 Denial of service
13.5 Host header attacks
13.6 Open redirect attacks
13.7 SQL injection
13.7.1 Raw SQL queries
13.7.2 Database connection queries
Summary
14 Cross-site scripting attacks
14.1 What is XSS?
14.1.1 Persistent XSS
14.1.2 Reflected XSS
14.1.3 DOM-based XSS
14.2 Input validation
14.2.1 Django form validation
14.3 Escaping output
14.3.1 Built-in rendering utilities
14.3.2 HTML attribute quoting
14.4 HTTP response headers
14.4.1 Disable JavaScript access to cookies
14.4.2 Disable MIME type sniffing
14.4.3 The X-XSS-Protection header
Summary
15 Content Security Policy
15.1 Composing a content security policy
15.1.1 Fetch directives
Navigation and document directives
15.2 Deploying a policy with django-csp
15.3 Using individualized policies
15.4 Reporting CSP violations
15.5 Content Security Policy Level 3
Summary
16 Cross-site request forgery
16.1 What is request forgery?
16.2 Session ID management
16.3 State-management conventions
16.3.1 HTTP method validation
16.4 Referer header validation
16.4.1 Referrer-Policy response header
16.5 CSRF tokens
16.5.1 POST requests
16.5.2 Other unsafe request methods
Summary
17 Cross-Origin Resource Sharing
17.1 Same-origin policy
17.2 Simple CORS requests
17.2.1 Cross-origin asynchronous requests
17.3 CORS with django-cors-headers
17.3.1 Configuring Access-Control-Allow-Origin
17.4 Preflight CORS requests
17.4.1 Sending the preflight request
17.4.2 Sending the preflight response
17.5 Sending cookies across origins
17.6 CORS and CSRF resistance
Summary
18 Clickjacking
18.1 The X-Frame-Options header
18.1.1 Individualized responses
18.2 The Content-Security-Policy header
18.2.1 X-Frame-Options versus CSP
18.3 Keeping up with Mallory
Summary
index

System requirements

Save as PDF Copy link into clipboard

Schweitzer Fachinformationen

Full Stack Python Security

Description

More details

Person

Content

System requirements