Information Disclosure in Django with Mutual Tls
Information Disclosure in Django with Mutual Tls
Information disclosure in Django when mutual TLS (mTLS) is used occurs when sensitive data is exposed during the TLS handshake or via misconfigured application behavior that leverages the mTLS context. In mTLS, both the client and server present certificates to prove identity. While this strengthens authentication, it can inadvertently expose information when errors, debug data, or misconfigured headers are returned to the client.
Django itself does not terminate TLS; this is typically handled by a reverse proxy such as Nginx, HAProxy, or a load balancer. When mTLS is enforced at the proxy layer, Django receives the client certificate details via headers (for example, SSL_CLIENT_CERT or a custom header set by the proxy). If Django or the proxy returns verbose error pages, stack traces, or reflection of certificate contents in responses, sensitive information such as certificate fields, protocol versions, or internal paths may be disclosed to an unauthenticated attacker.
Another vector arises from inconsistent handling of mTLS across endpoints. If some URLs require mTLS while others do not, an attacker may probe the unauthenticated surface and infer which endpoints carry sensitive operations. Additionally, if the application logs client certificate details or environment information and those logs are accessible or exposed through error reporting or debug endpoints, information leakage occurs. A concrete example: a misconfigured DEBUG setting in Django can cause detailed tracebacks that include environment variables, paths, and headers derived from the mTLS handshake, inadvertently revealing infrastructure details that aid further attacks.
Consider a scenario where a Django view accesses request.META to read the client certificate fingerprint for authorization but fails to handle missing or malformed certificates gracefully. An attacker can send requests that trigger exceptions, causing Django to return verbose error messages that include the certificate parsing logic path or the expected header names. This reveals implementation details about how mTLS is integrated, potentially exposing which certificate fields are trusted and how they are validated.
Real-world findings from scans often map such issues to OWASP API Top 10 categories like "Broken Object Level Authorization" and "Security Misconfiguration," and they may intersect with standards such as PCI-DSS when payment data is involved. Information disclosure through mTLS misconfigurations does not require authentication, making it a critical risk for unauthenticated attack surfaces. Proper remediation focuses on ensuring that error handling is consistent, headers are not reflected carelessly, and logging excludes sensitive certificate material.
Mutual Tls-Specific Remediation in Django
Remediation focuses on strict validation, secure error handling, and avoiding reflection of certificate details in responses. Configure your reverse proxy to enforce mTLS and pass only necessary certificate metadata to Django. In Django, avoid exposing certificate details in responses and ensure errors do not reveal stack traces or paths in production.
Below are concrete code examples demonstrating secure handling of client certificates in Django when mTLS is terminated at the proxy. The proxy sets a sanitized header (for example, X-Client-Cert-Subject) containing only the minimal required information, and Django uses this header for authorization without echoing raw certificate data.
Example 1: Proxy configuration (Nginx) with mTLS
server {
listen 443 ssl;
server_name api.example.com;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
# Enforce client certificate validation
ssl_client_certificate /etc/ssl/certs/ca.pem;
ssl_verify_client on;
# Pass only the subject to Django, avoiding raw certificate exposure
proxy_set_header X-Client-Cert-Subject $ssl_client_s_dn;
location / {
proxy_pass http://django_app;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Example 2: Django view securely using the sanitized header
import re
from django.http import JsonResponse, HttpResponseForbidden
from django.views import View
class ProtectedMtlsView(View):
# Minimal pattern to extract CN or specific fields; avoid reflecting full cert
SUBJECT_PATTERN = re.compile(r'CN=([^,/]+)')
def get(self, request):
cert_subject = request.META.get('HTTP_X_CLIENT_CERT_SUBJECT', '')
match = self.SUBJECT_PATTERN.search(cert_subject)
if not match:
return HttpResponseForbidden('Invalid client certificate')
common_name = match.group(1)
# Use common_name for authorization, e.g., lookup in a trusted list
if common_name not in self.allowed_clients():
return HttpResponseForbidden('Access denied')
return JsonResponse({'message': 'Success', 'client': common_name})
def allowed_clients(self):
# In practice, load from secure configuration or database
return {'alice', 'bob'}
Example 3: Error handling and logging hygiene
import logging
from django.views import View
from django.utils.log import log_response
logger = logging.getLogger('django.request')
class SafeMtlsView(View):
def dispatch(self, request, *args, **kwargs):
try:
return super().dispatch(request, *args, **kwargs)
except Exception as e:
# Log with minimal context; do not include raw certificate data
logger.warning('TLS-protected endpoint error', exc_info=False)
# Ensure DEBUG is False in production to prevent verbose tracebacks
if __name__ != '__main__':
return JsonResponse({'error': 'Internal server error'}, status=500)
raise
These examples emphasize that mTLS should be enforced at the edge, and Django should consume only minimal, sanitized metadata. Avoid returning certificate contents or detailed handshake information in responses. Combine this with environment hardening—disable DEBUG in production, restrict logging of sensitive headers, and ensure your proxy rejects invalid certificates before requests reach Django.