Wagtail is NZ Government security compliant

Alan Doak, 07 July 2015

David Goehring - https://www.flickr.com/photos/carbonnyc/

Government web sites are one of the most common targets for hackers and malicious software. When we work for a New Zealand government agency we must comply with a given set of standards and best practices around web authentication and security. We've compiled a set of reusable tools that allow us to quickly meet these guidelines.

In New Zealand some of the most common requirements are:

  • Password strength. Enforce complex string generation for user passwords. Make use of dictionaries and other tools to avoid weak and common passwords.
  • Force password changes. Keep last N entries of a user password history to ensure it is set to a completely different value each time the user decides to change it.
  • Enforce password expiration dates.
  • Brute force protection. Auto block a user upon several failed login requests.
  • Scan any uploaded file with an antivirus software.

The beauty of having Wagtail as our preferred CMS solution is that enables us to use all the tools and apps provided by Django. We're able to pick some existing tools and wrap them in an app that can be easily integrated into Wagtail. We found some interesting ones:

Recently our work has been to combine these packages together and put them into a single app that can be used by any Wagtail powered website. We called this combination of features Wagtailenforcer and it's available in our Github public repository. It's still in early stages but it has been tested and used in production with a high profile government website that is using the latest stable version of Wagtail.

The great thing about this approach is we can easily add to this combination of security features and plug in other protections for users, for example two-factor authentication.

At Springload we strongly support open source software such as Django and Wagtail. If you would like to know more about any of those tools or security standards please get in touch.