Research And Implementation Of XSS And CSRF Defense System Based On Django

With the constant development of the Internet,web platform has gradually developed as a user led Internet model,but it has caused XSS attacks and CSRF attacks and other web application security risks.Django as Python mainstream web development framework,due to its high efficiency and convenience,a large number of web applications are migrating to Django.Native Django,however,does not provide effective XSS and CSRF defense capabilities for its Web applications.XSS defense of native Django has designed too simple to adapt to rich text application scenarios and overly depended on template variables.However,CSRF defense of native Django has designed too complex,learning to use high cost,and cannot defend against GET and HEAD requests.This paper first analyzes some shortcomings of native Django's XSS and CSRF defense.Then,in view of these deficiencies,and considering the function and performance,the web security defense system is designed and implemented for XSS defense and CSRF defense function of Django.Through the high decoupling of Django middleware,only a small amount of code can be modified to enable web applications already developed by Django to use the defense system.The defense system is composed of initialization module,XSS defense module,CSRF defense module,log management module and middleware interface.The focus of the defense system is the XSS defense module,because where there are XSS security vulnerabilities,there will be CSRF security vulnerabilities.Therefore,a strong XSS defense is a prerequisite for CSRF defense.The XSS defense has four main steps: invalid annotation filtering,bug tag fixing,danger tag and attribute filtering,and special character escape in plain text.And on this basis,the Anti CSRF Token policy is used to achieve CSRF defense capabilities.Finally,the test environment is built to test the function and performance of the defense system,and compare the corresponding functions of native Django.Theexperimental results show that the defense system can effectively defend against XSS attacks and CSRF attacks,while solving the shortcomings of native Django's XSS and CSRF defenses,and not causing too much delay,meeting the functional and performance requirements.