Point your browser on James Socol's website, Cofffe on the keyboard and bookmark it. James - the Community Platforms Manager at Mozilla - is writing a great summary about web security focused on Django applications, but valid nonetheless for every framework.
These are the arguments he's covering:
- Basics: locking your car doors.
- Password Storage
- XSS: Cross-Site Scripting
- CSRF: Cross-Site Request Forgeries
- Injections, SQL and Otherwise
- Access Control
- Session Fixation and Hijacking
- Server Configuration
- Click-jacking and a little Phishing
- Stay Up to Date
- Advanced: Some gotchas from my experience and some things you may well see.
- Mass Assignment
- Cache Poisoning
- Bots: Spam, Brute-force, and User Experience
- CEF Logging
- What browsers are doing to help.
- Content Security Policy
- Do Not Track ** Sandboxing
This is the link to the summary article.
Mozilla and Django
Maybe you don't know it, but Mozilla uses Django for a lot of things. For example, addons.mozilla.org is based on Django and the sources are available on GitHub.
If you're interested about Django and Mozilla, you should check Mozilla Webdev blog.
I can't stress it enough: it's a must read for every web developer.