Security¶

next.dj inherits the Django security model and adds a few subsystem specific surfaces. This section covers how each surface protects against common attacks and how to harden a deployment.

Security Overview: The threat model inherited from Django and the additions specific to next.dj.
CSRF and Forms: CSRF protection through the {% form %} tag and the re-render pipeline.
Static Asset Security: Origin, hash, and integrity for shipped CSS and JS.
DI and Untrusted Input: Treating URL, query, and form values as untrusted.
Reporting a Vulnerability: How to disclose a vulnerability privately.