Security Misconfiguration in Django with Mutual Tls
Security Misconfiguration in Django with Mutual Tls — how this specific combination creates or exposes the vulnerability
Security misconfiguration in Django when Mutual TLS (mTLS) is used often centers on incomplete or incorrect TLS termination and authentication settings. mTLS requires both the client and the server to present valid certificates during the handshake. If Django is placed behind a load balancer or reverse proxy that handles TLS termination, developers might inadvertently allow unauthenticated requests to reach the Django application when they intended to enforce client certificate validation.
A common misconfiguration is relying solely on the proxy for mTLS while Django’s settings do not enforce client certificate verification. For example, if SECURE_PROXY_SSL_HEADER is set but CSRF_COOKIE_SECURE, SESSION_COOKIE_SECURE, or proper view-level decorators are missing, an attacker could exploit the mismatch between proxy and application to bypass authentication or inject insecure traffic. Additionally, failing to validate the client certificate chain properly can expose the application to impersonation attacks.
Another specific risk arises when developers map mTLS client certificates to user identities without adequate checks. If Django does not validate that the certificate subject or serial number maps to an active, authorized user, an attacker could present any valid client certificate and gain access. This is a classic broken access control scenario tied to the authentication configuration. The OWASP API Security Top 10 category Broken Object Level Authorization (BOLA) often intersects with mTLS misconfigurations when authorization checks are not applied consistently after authentication.
Data exposure can occur if logs or error messages inadvertently capture certificate contents or metadata. Without proper input validation and secure handling of the request’s TLS-related attributes, sensitive information may be exposed. Ensuring that Django’s logging configuration excludes sensitive headers and that middleware enforces strict transport security is essential.
To detect issues like these, scanning tools can analyze the unauthenticated attack surface and cross-reference OpenAPI specs with runtime behavior. For teams using continuous monitoring, the Pro plan’s GitHub Action can fail builds if security scores drop below a defined threshold, helping catch misconfigurations before deployment.
Mutual Tls-Specific Remediation in Django — concrete code fixes
Remediation focuses on ensuring Django validates client certificates, enforces secure headers, and integrates cleanly with mTLS infrastructure. Below are concrete steps and code examples.
1. Configure Django to trust the proxy and enforce SSL
When terminating TLS at a load balancer, set the following in settings.py to ensure Django respects the proxy’s SSL termination while maintaining secure cookies and requiring HTTPS.
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_HTTPONLY = True
SESSION_COOKIE_HTTPONLY = True
CSRF_COOKIE_SAMESITE = 'Strict'
SESSION_COOKIE_SAMESITE = 'Strict'
2. Validate client certificates at the view or middleware level
Map the client certificate’s subject or serial to an authorized user. Use middleware to inspect the request’s peer certificate, available via request.META when the proxy passes it securely (e.g., SSL_CLIENT_CERT).
import ssl
from django.http import HttpResponseForbidden
def validate_client_cert(get_response):
def middleware(request):
cert_pem = request.META.get('SSL_CLIENT_CERT')
if not cert_pem:
return HttpResponseForbidden('Client certificate required')
# Perform validation: parse PEM, verify chain, check revocation, etc.
# Example: ensure subject matches an allowed user or mapping
if not is_valid_client(cert_pem):
return HttpResponseForbidden('Invalid client certificate')
response = get_response(request)
return response
return middleware
def is_valid_client(cert_pem: str) -> bool:
# Implement proper certificate validation (chain, expiry, CRL/OCSP, etc.)
# This is a placeholder for robust PKI checks
return cert_pem and 'trusted' in cert_pem # simplistic example
3. Map certificate attributes securely
After validating the certificate, extract a stable identifier (e.g., subject DN or serial) and ensure it maps to an active user with appropriate permissions. Avoid relying on unverified claims from the proxy about user identity.
import ssl
from django.contrib.auth import get_user_model
from django.core.exceptions import PermissionDenied
User = get_user_model()
def get_user_from_cert(cert_pem: str):
# Extract subject or serial; this is simplified
subject = extract_subject_from_cert(cert_pem)
user = User.objects.filter(username=subject).first()
if user is None or not user.is_active:
raise PermissionDenied('User not found or inactive')
return user
def extract_subject_from_cert(cert_pem: str) -> str:
# Parse certificate and return subject; real implementation uses cryptography
return 'example-user' # placeholder
4. Use Django middleware and decorators consistently
Apply decorators like require_http_methods and ensure HTTPS is enforced site-wide. Combine mTLS validation with standard Django permission checks to prevent BOLA issues.
from django.views.decorators.http import require_http_methods
from django.views.decorators.csrf import csrf_exempt
@require_http_methods(["GET", "POST"])
def my_protected_view(request):
# mTLS middleware has already validated the client
# Additional authorization checks should follow principle of least privilege
return HttpResponse('OK')
By combining strict transport settings, client certificate validation in middleware, and careful mapping of certificate attributes to application identities, Django applications can securely leverage mTLS while minimizing misconfiguration risks.