14

This might be a stupid question and have an obvious answer, but I was testing my 404 and 500 error handlers meaning that I had to switch debug to False. I went to Django admin page and noticed that static files are not being served.

I understand that they should be routed through Apache as serving static files through Django is insecure. However, I don't quite understand why is it a security risk to serve static files through Django directly?

Mirac7
  • 1,566
  • 4
  • 26
  • 44
  • 1
    I don't think it is insecure. The real issue is that it is inefficient. – Stephen C Jun 28 '15 at 07:51
  • 1
    Then it's a little misleading to use `--insecure` argument to force serving static files with `debug = False` – Mirac7 Jun 28 '15 at 07:56
  • By directly do you mean runserver? – cdvv7788 Jun 28 '15 at 07:58
  • @cdvv7788 Yes. I am aware that this is not to be used in production, but still... – Mirac7 Jun 28 '15 at 08:01
  • 1
    https://docs.djangoproject.com/en/1.8/ref/django-admin/#runserver-port-or-address-port They don't bother adding security nor performance to it, so it shouldn't be relied on. – cdvv7788 Jun 28 '15 at 08:05
  • 1
    @cdvv7788 But the argument `--insecure` only forces static file serving. I don't understand the security difference between `runserver` and `runserver --insecure` – Mirac7 Jun 28 '15 at 08:09

1 Answers1

24

Here is what the Django 1.8 documentation says on the subject:

--insecure

Use the --insecure option to force serving of static files with the staticfiles app even if the DEBUG setting is False. By using this you acknowledge the fact that it’s grossly inefficient and probably insecure. This is only intended for local development, should never be used in production and is only available if the staticfiles app is in your project’s INSTALLED_APPS setting.

As you can see, they say "grossly inefficient" and "probably insecure". They didn't say "definitely insecure" or "insecure". I think that what they are hinting at is that they haven't done a thorough security analysis of the staticfiles app and its interactions with the rest of Django.

For me, the "grossly inefficient" part should be sufficient to deter you from serving static content. It is easy to do it better ... starting with the collectstatic command.

Some more searching lead me to this Google Groups posting, in response to someone asking about why --insecure is insecure.

From: Malcolm Tredinnick

Nothing can be considered secure unless it is designed and audited for security. We have done neither with the static file server. It may not have existing security holes, but it should not be considered secure because that's not a design goal.

For example, a secure file server would need to check for resource allocation problems so that serving a very large file didn't constitute a denial-of-service attack. That requires a lot of extra code and pipeline management which isn't worth putting into something that's just for development purposes.

... which supports my interpretation.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216