We selected web2py over django and pylons to replace RoR. Luckily, that project doesn't require paranoid security (hence our ability to use RoR in the past.)
But we're evaluating web2py to replace a Win32 GUI intranet app, and preventing hacks on the server side, is pretty high on the priority for that project. For example, we want to prevent user from modifying web2py's .py files, etc. by exploiting security flaws in Python or python modules. What are some ways to improve the security of web2py apps on production servers? * Use mod_security and its Core Rule Set (no web2py compatibility issues?) * Prevent Apache2 user (www-data) having write access or chmod rights to web2py application files? * chown/chmod web2py files to require root access to upgrade to newer web2py? I'm not asking for changes to web2py. I'm just looking for best practices on projects that value security over certain features like web-based upgrades or web-based deployment, etc. For example, requiring root access to upgrade web2py would be seen as a benefit on at least one project.
