My project this weekend was to optimize my site for security, and performance to prepare for an upcoming launch. Although I hadn’t been ignoring these things completely, I figured it was a good chance to step back and check where I was at and tweak where necessary. In this post I’m going to go over the steps I took to implement security measures in my Django site.
Note: before you check, none of the things I’m discussing here have been done on this site you’re reading. Right now I’m working exclusively on my Django side project, although I definitely would like to implement similar steps to my personal site soon.
My focus on security for this weekend was specifically on HTTP security. I’ve never really implemented HTTP security before, so for me this was totally a learning experience. I started off by adding an SSL cert to my Heroku server. They make it terribly easy to do since a cert comes free with any paid server. So after upgrading my Heroku server to the paid Hobby dyno I was feeling pretty good about myself. Security issues solved, right?
Okay, maybe not. A quick scan using Observatory by Mozilla made all my dreams of becoming a security super hero come crashing to a halt. My site had a big, fat F. (That’s for Fail, not Fantastic.) So what did I need to work on?
So I was addicted to Facebook. Like, really addicted. While at work, anytime I found myself stuck on a problem I’d immediately open a new browser tab just to zone out by reading the latest posts from friends and from any of the dozen groups I had subscribed to. I was living in a cycle of shallow, getting easily overwhelmed by my work and taking quick escapes before I had to think too hard about anything. I was like a rat with a button – just going to Facebook was giving me small dopamine hits, so I kept going and kept going.
I was also addicted at home. Facebook was always the most used app on my phone. I got on immediately when I woke up in the morning, I’d scroll as I walked my dog three times a day, and I’d zone out while I ate dinner. Hardly an hour would go by in my life when I didn’t check Facebook at least once.
I knew something had to change. I was addicted. But at least I had taken the first step: admitting I had a problem. Now I just had to do something about it.
My goal was not to complete quit Facebook, nor did I want to go cold turkey. My only goal was to stop turning to Facebook any time I was feeling an emotion. Instead, I wanted to feel the emotion, to experience discomfort, push through it and grow from it.
Lately I’ve noticed something. As much as I think about my side project and dream about quitting my day job to pursue it full time, I haven’t actually worked on it that much in the last few months. When I come home in the evening, instead of heading for my laptop and banging out a few lines of code, I head straight for the TV and zone out for the rest of the night. In the latter half of 2017 I spent considerably more of my attention juggling between Netflix, Facebook and Instagram than I had on the one thing I thought was my life’s purpose. I almost felt as if I was floating through my life rather than taking control of it. So I decided to do something about it.
I’m a big fan of Austin Kleon‘s. Every week I look forward to reading his newsletter and picking up all sorts of inspiration from them. On December first I opened his newsletter, cup of coffee in hand, like I do every Friday and in the very first paragraph the gauntlet was thrown. He was challenging me to take on a 30-day challenge for the remaining days of 2017, and for inspiration he added a couple of links. The first link to his article on how being an artist (or anyone who does creative work) is like living in the movie Groundhog’s Day, how you just have to put in the hours every day until one day you notice that you’ve actually built something worth having. The next link was to a printable 30-day challenge tracker.
Now I know that none of this is in any way profound. Probably since the beginning of modern humanity people have preached the gospel of putting in the work every day. We’ve all heard it a million times, but for me this time it finally sunk in. So I vowed that when I got home I would finally print out that simple page with its 30 boxes and get to work.
My challenge was straightforward: push code (any code) to my side project on GitHub every day in December. I didn’t set any parameters around the length of code or the time spent, but I just wanted to make sure that by the end of every day I had one line of functional code to add to my git repository. I was motivated and I was finally following the sage advice of Shia LaBeouf.
Perhaps a better title for this blog series would be “Django lessons learned the hard way”, since I seem to only have something to write about when I’ve really screwed something up and had to struggle to fix it. Usually that error came from not thinking out my data structures from the beginning, and having to back track.
Here’s where I screwed up this time. In my project I have a model called “Organization” which holds information about companies in my app. I’d built the model several months ago and went on my merry way creating objects and adding some related data when I realized, I had forgotten to add a user group to hold the administrators of the companies. This group is incredibly important because it will define who is allowed to view certain information about the company and edit details about it. Realizing my mistake I went back to add the group foreign key field, which would be fairly straight forward if it were a nullable field. Since it isn’t though, it takes a few steps to add it to the model.
In this mini tutorial we’ll add a new non-nullable One To One Field representing the administrator group for an organization. As always, I want to add the caveat here that I am still just a learner myself, so I may not know the best solution, but it’s one that has worked for me!
I’m back with another Django mini tutorial! This is something that probably a lot of people already know how to do, but since there’s no official documentation for creating custom Django form field widgets, I thought I’d write a post about the information I pieced together in my research. Most of what I learned about creating these widgets came from inspecting GitHub repositories from others who have done this before – so I’m no expert and I’m making a lot of assumptions. Nevertheless, something here might be useful to someone else!
For the project I’m working on I wanted to have a form field to write a short essay for an application. The essay could have a minimum word count, a maximum word count, both or neither. In the help text for the form field I displayed the essay length requirements, but I also wanted to display a word count and indicate if the current length was within the length limits. The resulting control I created looked something like this:
In this mini tutorial I’m going to walk through the steps that I used to create this custom widget.
I’ve recently started learning to program in Python with a Django front-end, and I’ve found that while most problems I come across can very easily be solved by looking at Django’s documentation, or by finding an answer on StackOverflow, occasionally I’ll come across a problem that I have to Google around for hours to figure out, piecing together solutions from all sorts of different sources. So I thought, I’ll post the solutions I finally figure out, and maybe, sometime down the road, some other Django newbie will find my article and it might save them a couple of hours.
With that, I give you my very first Django mini-tutorial!
Today’s problem was about redirecting. Whenever a view in Django uses the very handy @login_required decorator, you may notice that the URL for the login page contains a URL parameter indicating where the user should be redirected after they log in. For example, the URL might be http://www.domain.com/login/?next=/profile/5/, indicating that when the user completes logging in they should be redirected to user 5’s profile page. That’s all well and good… as long as the user already has an account. But if you wanted to have a sign up link at the bottom of your sign in form to allow the user to register, then the context will be lost. So my goal was to pass the “next” parameter on to the create account link so that the user will still be redirected to user 5’s profile after creating their shiny new account.
My mantra this year is Make Mistakes. That may seem a bit strange; after all, not many people would remind themselves daily that they should be making mistakes. But two things I’ve come across recently have made me think that this is exactly what we should be telling ourselves.
The first is the TED Radio Hour episode “The Source of Creativity” in which I learned that when musicians are being creative they suppress the pre-frontal cortex of the brain. That’s the area that’s responsible for filtering your actions and words; it’s what keeps you from saying stupid things – or making mistakes.
To sum it up in the episode they tied in a quote from Ken Robinson’s famous TED talk when he said
If you’re not prepared to be wrong you will never come up with anything original. Ken Robinson
The other is this quote from Neil Gaiman from way back in 2011 when he said:
I hope that in this year to come, you make mistakes. Because if you are making mistakes, then you are making new things, trying new things, learning, living, pushing yourself, changing yourself, changing your world. You’re doing things you’ve never done before, and more importantly, you’re doing something. Neil Gaiman
You do anything worth doing if you’re not prepared to make mistakes. And making them only proves that you’re working and creating and getting things done.