Django - Should I set show_toolbar in production for management users?
This video explains
Django - Should I set show_toolbar in production for management users?
--
Become part of the top 3% of the developers by applying to Toptal
https://topt.al/25cXVn
--
Music by Eric Matyas
https://www.soundimage.org
Track title: Techno Intrigue Looping
--
Chapters
00:00 Question
00:40 Accepted answer (Score 1)
01:34 Thank you
--
Full question
https://stackoverflow.com/questions/6012...
--
Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...
--
Tags
#python #django
Django - Should I set show_toolbar in production for management users?
--
Become part of the top 3% of the developers by applying to Toptal
https://topt.al/25cXVn
--
Music by Eric Matyas
https://www.soundimage.org
Track title: Techno Intrigue Looping
--
Chapters
00:00 Question
00:40 Accepted answer (Score 1)
01:34 Thank you
--
Full question
https://stackoverflow.com/questions/6012...
--
Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...
--
Tags
#python #django
ACCEPTED ANSWER
Score 1
There are a couple of reasons why this is still risky:
You're making a lot of configuration information visible to users. If one of those admin accounts gets compromised then an attacker would have access to a lot of very useful low-level information about your server configuration.
Debug toolbar uses AJAX views to serve the debug information. While these views do check permissions, using them in production opens up another vector of attack, where someone could manipulate the client-side code for a management user to perform AJAX requests in the background to fetch data from these URLs, without the user knowing about it.
Both of these risks require other things to go wrong - it's a question of how much you value defence in depth.