$ ~/registry/skill/affaan-m-django-security

SKILL

django-security

帮助开发者落实 Django 安全最佳实践，构建更安全的认证、授权与部署方案。

星标

★ 209,790

来源

GitHub

更新于

2026-06-07

// 安全评估低风险

仅提示词，不执行代码
开源可审计
社区验证· 209.8k

正在进行安全审计…

凭证密钥
网络外发
代码执行
数据访问
来源供应链

// 安装

复制安装指令，让 AI 自动完成配置 · 推荐新手

请帮我安装 askskill 上的 "django-security" 技能：
1. 下载 https://raw.githubusercontent.com/affaan-m/ECC/main/skills/django-security/SKILL.md
2. 保存为 ~/.claude/skills/django-security/SKILL.md
3. 装好后重载技能，告诉我可以用了

// 下载

下载 SKILL.md机读安装清单 ↗

// 用法示例

审查 Django 项目安全配置

输入

请检查一个 Django 项目的安全配置清单，重点覆盖 SECRET_KEY、DEBUG、ALLOWED_HOSTS、CSRF、SESSION、Cookie 安全标志、密码策略与安全中间件，并给出加固建议。

预期产出

一份结构化的安全检查清单，包含风险说明、优先级和具体修复建议。

设计安全的认证与权限方案

输入

我在开发 Django 后台系统，请为我设计安全的登录、注册、找回密码、角色权限和对象级授权方案，并说明如何避免常见越权问题。

预期产出

一套可落地的认证授权设计建议，含权限模型、流程说明和风险防护要点。

防护常见 Web 安全漏洞

输入

请总结 Django 中防御 CSRF、SQL 注入、XSS 和不安全文件上传的最佳实践，并给出代码层面与部署层面的建议。

预期产出

针对常见漏洞的防护指南，包含框架特性用法、代码示例方向和部署注意事项。

// 文档

Django Security Best Practices

Comprehensive security guidelines for Django applications to protect against common vulnerabilities.

When to Activate

Setting up Django authentication and authorization
Implementing user permissions and roles
Configuring production security settings
Reviewing Django application for security issues
Deploying Django applications to production

Core Security Settings

Production Settings Configuration

# settings/production.py
import os

DEBUG = False  # CRITICAL: Never use True in production

ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', '').split(',')

# Security headers
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_HSTS_SECONDS = 31536000  # 1 year
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_BROWSER_XSS_FILTER = True
X_FRAME_OPTIONS = 'DENY'

# HTTPS and Cookies
SESSION_COOKIE_HTTPONLY = True
CSRF_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = 'Lax'
CSRF_COOKIE_SAMESITE = 'Lax'

# Secret key (must be set via environment variable)
SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY')
if not SECRET_KEY:
    raise ImproperlyConfigured('DJANGO_SECRET_KEY environment variable is required')

# Password validation
AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
        'OPTIONS': {
            'min_length': 12,
        }
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

Authentication

Custom User Model

# apps/users/models.py
from django.contrib.auth.models import AbstractUser
from django.db import models

class User(AbstractUser):
    """Custom user model for better security."""

    email = models.EmailField(unique=True)
    phone = models.CharField(max_length=20, blank=True)

    USERNAME_FIELD = 'email'  # Use email as username
    REQUIRED_FIELDS = ['username']

    class Meta:
        db_table = 'users'
        verbose_name = 'User'
        verbose_name_plural = 'Users'

    def __str__(self):
        return self.email

# settings/base.py
AUTH_USER_MODEL = 'users.User'

Password Hashing

# Django uses PBKDF2 by default. For stronger security:
PASSWORD_HASHERS = [
    'django.contrib.auth.hashers.Argon2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
]

Session Management

# Session configuration
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'  # Or 'db'
SESSION_CACHE_ALIAS = 'default'
SESSION_COOKIE_AGE = 3600 * 24 * 7  # 1 week
SESSION_SAVE_EVERY_REQUEST = False
SESSION_EXPIRE_AT_BROWSER_CLOSE = False  # Better UX, but less secure

Authorization

Permissions

# models.py
from django.db import models
from django.contrib.auth.models import Permission

class Post(models.Model):
    title = models.CharField(max_length=200)
    content = models.TextField()
    author = models.ForeignKey(User, on_delete=models.CASCADE)

    class Meta:
        permissions = [
            ('can_publish', 'Can publish posts'),
            ('can_edit_others', 'Can edit posts of others'),
        ]

    def user_can_edit(self, user):
        """Check if user can edit this post."""
        return self.author == user or user.has_perm('app.can_edit_others')

# views.py
from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
from django.views.generic import UpdateView

class PostUpdateView(LoginRequiredMixin, PermissionRequiredMixin, UpdateView):
    model = Post
    permission_required = 'app.can_edit_others'

…

查看完整文档 ↗

// 同源资产

MCP 工具★210k

ECC

帮助开发者为代码代理配置性能优化、安全防护与研究优先工作流。

affaan-m装→

技能★210k

database-migrations

提供数据库迁移、回滚与零停机发布的最佳实践指导，适用于多种 ORM 与 SQL 数据库。

affaan-m装→

技能★210k

santa-method

通过双评审智能体对结果进行对抗式校验，提升输出发布前的可靠性

affaan-m装→

技能★210k

rust-patterns

帮助你掌握地道 Rust 模式、所有权与并发实践，编写安全高性能应用。

affaan-m装→

技能★210k

cpp-coding-standards

基于 C++ Core Guidelines 编写、审查并重构更安全现代的 C++ 代码。

affaan-m装→

技能★210k

verification-loop

为 Claude Code 会话提供系统化校验流程，帮助检查结果正确性与质量。

affaan-m装→

// 功能相似

技能★210k

django-security

提供 Django 安全开发与部署最佳实践，帮助降低常见 Web 漏洞风险。

affaan-m装→

技能★210k

laravel-security

帮助开发者落实 Laravel 安全最佳实践，覆盖认证授权、常见漏洞防护与安全部署。

affaan-m装→

技能★210k

springboot-security

提供 Spring Boot 服务认证授权与安全加固最佳实践建议。

affaan-m装→

技能★210k

springboot-security

帮助开发者为 Spring Boot 服务落实认证授权与安全加固最佳实践。

affaan-m装→

技能★210k

laravel-security

提供 Laravel 安全最佳实践，帮助加固认证授权、输入校验与安全部署。

affaan-m装→

技能★210k

springboot-security

为 Spring Boot 服务提供认证鉴权、CSRF、防护头与依赖安全最佳实践

affaan-m装→

$ loading_

请帮我安装 askskill 上的 "django-security" 技能： 1. 下载 https://raw.githubusercontent.com/affaan-m/ECC/main/skills/django-security/SKILL.md 2. 保存为 ~/.claude/skills/django-security/SKILL.md 3. 装好后重载技能，告诉我可以用了

// 用法示例

审查 Django 项目安全配置

输入

请检查一个 Django 项目的安全配置清单，重点覆盖 SECRET_KEY、DEBUG、ALLOWED_HOSTS、CSRF、SESSION、Cookie 安全标志、密码策略与安全中间件，并给出加固建议。

预期产出

一份结构化的安全检查清单，包含风险说明、优先级和具体修复建议。

设计安全的认证与权限方案

输入

我在开发 Django 后台系统，请为我设计安全的登录、注册、找回密码、角色权限和对象级授权方案，并说明如何避免常见越权问题。

预期产出

一套可落地的认证授权设计建议，含权限模型、流程说明和风险防护要点。

防护常见 Web 安全漏洞

输入

请总结 Django 中防御 CSRF、SQL 注入、XSS 和不安全文件上传的最佳实践，并给出代码层面与部署层面的建议。

预期产出

针对常见漏洞的防护指南，包含框架特性用法、代码示例方向和部署注意事项。

// 文档

Django Security Best Practices

Comprehensive security guidelines for Django applications to protect against common vulnerabilities.

When to Activate

Setting up Django authentication and authorization
Implementing user permissions and roles
Configuring production security settings
Reviewing Django application for security issues
Deploying Django applications to production

Core Security Settings

Production Settings Configuration

# settings/production.py
import os

DEBUG = False  # CRITICAL: Never use True in production

ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', '').split(',')

# Security headers
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_HSTS_SECONDS = 31536000  # 1 year
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_BROWSER_XSS_FILTER = True
X_FRAME_OPTIONS = 'DENY'

# HTTPS and Cookies
SESSION_COOKIE_HTTPONLY = True
CSRF_COOKIE_HTTPONLY = True
SESSION_COOKIE_SAMESITE = 'Lax'
CSRF_COOKIE_SAMESITE = 'Lax'

# Secret key (must be set via environment variable)
SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY')
if not SECRET_KEY:
    raise ImproperlyConfigured('DJANGO_SECRET_KEY environment variable is required')

# Password validation
AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
        'OPTIONS': {
            'min_length': 12,
        }
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]

Authentication

Custom User Model

# apps/users/models.py
from django.contrib.auth.models import AbstractUser
from django.db import models

class User(AbstractUser):
    """Custom user model for better security."""

    email = models.EmailField(unique=True)
    phone = models.CharField(max_length=20, blank=True)

    USERNAME_FIELD = 'email'  # Use email as username
    REQUIRED_FIELDS = ['username']

    class Meta:
        db_table = 'users'
        verbose_name = 'User'
        verbose_name_plural = 'Users'

    def __str__(self):
        return self.email

# settings/base.py
AUTH_USER_MODEL = 'users.User'

Password Hashing

# Django uses PBKDF2 by default. For stronger security:
PASSWORD_HASHERS = [
    'django.contrib.auth.hashers.Argon2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2PasswordHasher',
    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
]

Session Management

# Session configuration
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'  # Or 'db'
SESSION_CACHE_ALIAS = 'default'
SESSION_COOKIE_AGE = 3600 * 24 * 7  # 1 week
SESSION_SAVE_EVERY_REQUEST = False
SESSION_EXPIRE_AT_BROWSER_CLOSE = False  # Better UX, but less secure

Authorization

Permissions

# models.py
from django.db import models
from django.contrib.auth.models import Permission

class Post(models.Model):
    title = models.CharField(max_length=200)
    content = models.TextField()
    author = models.ForeignKey(User, on_delete=models.CASCADE)

    class Meta:
        permissions = [
            ('can_publish', 'Can publish posts'),
            ('can_edit_others', 'Can edit posts of others'),
        ]

    def user_can_edit(self, user):
        """Check if user can edit this post."""
        return self.author == user or user.has_perm('app.can_edit_others')

# views.py
from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
from django.views.generic import UpdateView

class PostUpdateView(LoginRequiredMixin, PermissionRequiredMixin, UpdateView):
    model = Post
    permission_required = 'app.can_edit_others'

…

查看完整文档 ↗