Dhruva Shaw
Miku Chan's Blog


Miku Chan's Blog

How to do a secure login in django

How to do a secure login in django

Dhruva Shaw's photo
Dhruva Shaw
·Jul 2, 2022·

3 min read

Play this article

Table of contents

Secure Login Challenge


This project addresses all the web vulnerabilities and implements login system in a secure way

Web vulnerabilities addressed

  • Cross Site Forgery Request
  • Clickjacking
  • SQL/NoSQL/LDAP/XML Injection
  • XSS Attack
  • Response Manipulation
  • Sensitive Information Disclosure
  • Authentication Bypass
  • Parameter Pollution & Mass Assignment
  • Credentials Over Unencrypted Channel
  • Missing Brute-Force Protection
  • User Enumeration
  • Throttling Requests
  • Remote Code Execution

Hosting Guide

1. Download the code

First install git in the system, then type the following command in command prompt

git clone https://github.com/Sainya-Rakshatam-Submission/secure-login.git
cd secure-login

2. Setup the Virtual Environment

Install python-3.9 in the system, then run the following command in the console

pip install virtualenv
virtualenv env
pip install -r requirements.txt

Now rename example.env to .env and now see this video on how to setup the .env file.

3. Setup the database

If you are in local environment then the project will automatically use the sqlite unless speficied the database url in the .env file. Following DATABASE URL's are supported Click Here And then install its respective database connector module from pypi. If you are in LOCAL environment then no need to install the database connector module since it will be using sqlite :) Click here for the video explanation

4. Migrate the sql queries to the database

Now in console run the following command

python manage.py migrate

5. Create a superuser for the site

To create a superuser for the site run the following commands line by line in the sole

python manage.py createsuperuser

after running the command provide the necessary details it asks

6. Compress the static files

To compress the static files then run the following command in the console

python manage.py collectcompress

7. Edit the CORS and ALLOWED_HOST header

Make sure to edit the CORS and ALLOWED_HOST header, otherwise you won't be able to access the site from the desired attched domain. Click here to goto the CORS and ALLOWED_HOST header

8. Edit the THROTTLING REQUESTS bumber

Make sure to edit the AXES_FAILURE_LIMIT confiiguration, this is the max number of failed login attempts, Defaults to 5. Click here to goto the THROTTLING REQUESTS configuration

9. Now run the project

For the windows users, run the following command

python manage.py runserver

and for the Linux and Mac users, run the following command

gunicorn securelogin.asgi:application -k securelogin.workers.DynamicUvicornWorker --timeout 500

Kamboom! The site is up on in local environment, now the credentials that you have given while creating the superuser using the createsuperuser command.

Youtube Video Explaining all

Github Repo

Did you find this article valuable?

Support Dhruva Shaw by becoming a sponsor. Any amount is appreciated!

See recent sponsors Learn more about Hashnode Sponsors
Share this