Often, security is only an afterthought when designing and building web applications with Python, which can have embarrassing, costly and sometimes dangerous consequences. Implementing “reasonably good” security is not very hard though, especially when thinking about it right from the start.

In this talk, I will explain several techniques for improving the security of Python-based web applications. As there is already plenty of material available on general security concepts, I will instead focus on more advanced topics like:

-Dividing the application into data layers and application service layers to reduce the attack surface and minimize the impact of security breaches. -Advanced Authentication Techniques: How to use two-factor authentication and similar techniques to improve login security. -How to defend against (simple) DDoS attacks and brute forcing. -User Security Notifications & Audit Logs: How to let your users know about suspicious activity.

I will focus on API-centric web applications, most of the points are applicable to “traditional” web apps as well though. Example code for implementing the different techniques in popular web frameworks (Flask and Django) will be provided in a Github repository