We all seem to be quite taken with HTMX as a tool in our Django projects. There are a number of talks here at DjangoCon Europe on it as there were last fall at DjangoCon US.
I’m wondering if there are any known issues around it in the community? Especially at scale? I’ve not heard of any but surely there are some creeping around somewhere?
I think it’s hard for there to be django-specific security issues. htmx makes requests to your server for HTML, so there’s the usual requirements for permissions checks, but you always need that when exposing data.
Several times users have suggested that django-htmx add a “htmx only” decorator for views to deny requests that don’t have the
HX-Request header set. I have closed these suggestions because I think it’s at best unnecessary. Relying on blocking requests without that header may lead to laxer security standards.
As for performance, the Django Template Language is known to be relatively slow, so switching to Jinja2 would help. @orf did some benchmarks 10 years ago, and whilst there have been lots of optimizations in both libraries and Python itself, I think the gap is still there.
I found this some days ago and i wonder, if this is true. However, if so, what can be done do make htmx more secure, or is there a workaround by Django to ensure a secure web application?
HTMX not secure
Did you actually watch and listen to the entire video?
Yes, if your server is compromised or you serve untrusted or unvalidated html via HTMX, you can subject your users to XSS attacks.
How is that any different from any other platform or web framework?
You always need to validate or sanitize input supplied from the browser. You must never directly serve data supplied from a user to another user.
Django actually inhibits these types of attacks by escaping html-special characters by default. You have to disable those filters in order for user-supplied data to be rendered as html.
Thank you for your reply. Obviously i did not understand all. So it is great to have your explanation.
That means, i could use htmx in my Django projects, right? Sounds good.
I do - it has been a game-changer for me. I’ve done some things with HTMX, Django, and Channels that I have never successfully implemented before.
Excelent. So i will start to learn. Although it is “just” a hobby for me, i really enjoy working on my django project.
I’m curious as well. I’ve disabled eval, see htmx config. Not sure if there are other measures one could take.
From the docs at Security
You should, of course, escape all 3rd party untrusted content that is injected into your site to prevent, among other issues, XSS attacks.
What this translates to in Django terms is that any user-supplied data should either be rendered as part of a template, or passed through the
escape function before being sent back out.
If you do that with all data that doesn’t originate from a known source, you’ll be ok from that perspective.
But this isn’t specific to HTMX - this is something that should be done for all processes returning untrusted data to browsers.