How to secure APIs for Registration and Login in Django Rest Framework

Question

I am using it with token authentication using django-rest-framework-jwt and it returns the token when User logged in through our rest API.

So the question is how to secure any registration or login views for our API endpoints.Any high-level XSS scripts can have malicious looping for creating registrations.How can we secure it in Django Rest Framework ?

Niroj · Answer 1 · Jun 25, 2020

Hello @kartik,

you cannot have an authentication system like JWT protect your pages like login and registration. However there are many other things you can do. Below I have mentioned two of them briefly to get you started and rest you can study in detail.

First to address the XSS issue -

Implementation

Django provides middleware and settings added in settings>base.py Middleware:

django.middleware.security.SecurityMiddleware

Settings:

SECURE_BROWSER_XSS_FILTER = True
This sets header to X-XSS-Protection: 1; mode=block

Second Brute Force Attack
An automated programme may attack to hack username and password of a user or to slow down the server.

Implementation

Django Rest Framework provides inbuilt settings for throttling

REST_FRAMEWORK = {
    ...
    'DEFAULT_THROTTLE_CLASSES': (
        'rest_framework.throttling.AnonRateThrottle',
        'rest_framework.throttling.UserRateThrottle',
        'rest_framework.throttling.ScopedRateThrottle',
    ),
    'DEFAULT_THROTTLE_RATES': {
        'anon': '60/minute',
        'app1': '10000/day',
        'app2': '10000/day',
    },
    ...
}

Hope it helps!!