Description
The django-silk profiling and inspection UI is unauthenticated and unauthorized by default (SILKY_AUTHENTICATION and SILKY_AUTHORISATION are False). This means that if django-silk is deployed to a production environment without explicitly configuring these settings, anyone with network access to the /silk/ URL can view sensitive application data, including request/response bodies, headers, query parameters, database queries, and potentially full Python profiles. This exposes internal application details, which can aid attackers in understanding the system and finding further vulnerabilities.
File: silk/config.py
Suggested Fix
In silk/config.py, change the default values:
Description
The
django-silkprofiling and inspection UI is unauthenticated and unauthorized by default (SILKY_AUTHENTICATIONandSILKY_AUTHORISATIONareFalse). This means that ifdjango-silkis deployed to a production environment without explicitly configuring these settings, anyone with network access to the/silk/URL can view sensitive application data, including request/response bodies, headers, query parameters, database queries, and potentially full Python profiles. This exposes internal application details, which can aid attackers in understanding the system and finding further vulnerabilities.File:
silk/config.pySuggested Fix
In
silk/config.py, change the default values: