1👍
✅
HYour question goes beyond Django in particular and my guess is this is simply a matter of best practices and security on the web (regardless of framework or language used).
What you are doing is basically correct (and sane!), given that you take the below writing into consideration.
First, the handling of the data from the client to your server-side app:
- Session protection: Protect these
POST
reachable URLs via session tokens (Is the user logged in or not? Are they known to your app?) - CSRF protection: Make use of CSRF tokens to protect against cross site scripting attacks
- Ownership checks: Is the ticket owned by the user deleting it?
- HTTP Method checking: Limit the audience for these URLs to
POST
only (noGET
,PATCH
, …).
Then, regarding input sanitation. This can be dealt with on at least two levels:
- Type checking: While fragile, your View code should check (or try to convert) what kind of data came in (integers, strings, …) and see if this is what was expected
- SQL Parameter binding: The code that queries your database should construct your queries using parameter binding, so no SQL injections can happen (assuming you are using an SQL database)
If you have got all that setup, I think you have a solid base.
Source:stackexchange.com