I'm working on a game in Django where the majority of the interaction comes through clicks that run JavaScript methods that use jQuery's $.post() to post data to a url. To protect against cheaters and bots, I must ensure that every post is made by a logged-in user and protect against cross-site scripting, and I certainly don't want any injection attacks. I know Django has many protections against these built in, but since most of my requests come through AJAX posts rather than URL requests or form submissions, I was wondering what steps I need to take to fully protect myself.
Specifically: Each of my views use the @login_required decorator, is there anything else I need to do to ensure that the user is logged in and active (i.e. do I need to check user.is_active)? As stated above, my data comes through AJAX posts made by jQuery. Is this data automatically cleaned against SQL injection? If not, is there something in Django that I can call to access its cleaning ability? Or do I have to do it myself? I remember reading that Django Forms (haha, I still want to call them newforms.. good times) automatically prevent cross site request forgery by including a hidden, random, token. Is there a way that I can access this ability for my own prevention? And of course: Are there any other possible security concerns you guys can think of that I should know about and that will keep me up at night? If I can make a suggestion (although this is probably better for the django-developers group), it would be really nice to have a document that outlines all of the precautions you should take for security. Thanks so much! Taylor --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
