Skip to main content

Understanding Tornado security features

Understanding Tornado Security Features

Tornado is a powerful Python web framework and asynchronous networking library, and like any robust framework, it comes with a set of security features that are essential for building secure applications. In this article, we'll explore these features and how to use them effectively.

Cross-Site Request Forgery (CSRF) Protection

Cross-Site Request Forgery (CSRF) is a type of attack that tricks a victim into performing actions on a web application in which they're authenticated. Tornado provides CSRF protection by using a unique token that is associated with a user's session.

You can enable CSRF protection in Tornado by using the xsrf_cookies setting:

tornado.web.Application(handlers=[...], xsrf_cookies=True)

And include the _xsrf argument in all POST requests:

<form method="post">
  <input type="hidden" name="_xsrf" value="{{ xsrf_token }}"/>
  ...
</form>

Secure Cookies

Tornado's secure cookies are a way of storing user data between requests. In Tornado, cookies are signed and timestamped, which prevents tampering.

Here is how you can set a secure cookie:

self.set_secure_cookie("user", "username")

And get the value of the secure cookie:

user = self.get_secure_cookie("user")

User Authentication

Tornado makes it easy to implement user authentication. The @tornado.web.authenticated decorator can be used to ensure that a user is logged in before they can access a specific handler.

Here is an example of how to use this decorator:

class MainHandler(tornado.web.RequestHandler):
    @tornado.web.authenticated
    def get(self):
        self.write("Hello, " + self.current_user)

HTTPS Support

HTTPS encrypts the data sent between the client and the server, ensuring that sensitive information can't be intercepted. Tornado supports HTTPS out of the box. To enable HTTPS, you need to provide a SSL certificate and a private key when creating your application:

http_server = tornado.httpserver.HTTPServer(application, ssl_options={
    "certfile": "/path/to/mycert.pem",
    "keyfile": "/path/to/mykey.pem",
})

Conclusion

Security is a critical aspect of any web application, and Tornado provides a comprehensive set of features to help developers secure their applications. By understanding how to use these features effectively, you can significantly enhance the security of your Tornado applications.