Sensitive Files Middleware
- class smarter.lib.django.middleware.sensitive_files.SmarterBlockSensitiveFilesMiddleware(get_response)[source]
Bases:
SmarterMiddlewareMixinMiddleware to return HttpResponseForbidden for common sensitive files, regardless of whether these do or do not exist. This is a countermeasure against simple, brute-force attacks and automated ‘bot’ clients probing for sensitive files. This middleware works from a static list of common sensitive files and patterns, returning a 403 Forbidden response for requests matching these files.
This middleware inspects incoming HTTP requests and blocks access to files and paths that are commonly targeted by attackers or bots, such as configuration files, environment files, backup files, and private keys. If a client attempts to access these files more than a configurable threshold within a time window, their requests are throttled and further attempts are blocked with a 403 Forbidden response.
The middleware also supports an “amnesty” mechanism, allowing certain patterns to bypass blocking, and provides detailed logging for all blocking and throttling events.
- Variables:
THROTTLE_LIMIT (int) – The maximum number of blocked sensitive file requests allowed from a single client IP within the timeout period before blocking is triggered. Default is 5.
THROTTLE_TIMEOUT (int) – The duration of the timeout window in seconds during which blocked requests are counted and blocking is enforced. Default is 600 seconds (10 minutes).
allowed_patterns (tuple) – Patterns for which requests are granted amnesty and not blocked, even if they match sensitive files.
sensitive_files (set) – Set of filenames and patterns considered sensitive and subject to blocking.
Key Features
Blocks requests for a comprehensive list of sensitive files and file patterns.
Throttles repeated attempts from the same client IP and blocks further requests after a threshold.
Supports amnesty patterns to allow exceptions for specific paths.
Provides detailed logging for all blocking, throttling, and amnesty events.
Integrates with Django’s cache for tracking request counts and with application logging.
Note
Amnesty patterns can be configured via the
smarter_settings.sensitive_files_amnesty_patternsDjango setting.Logging is controlled via a waffle switch and the application’s log level.
The client IP is determined using the
get_client_ip()method.
Example
To enable this middleware, add it to your Django project’s middleware settings:
MIDDLEWARE = [ ... 'smarter.lib.django.middleware.sensitive_files.SmarterBlockSensitiveFilesMiddleware', ... ]
- Parameters:
get_response (callable) – The next middleware or view in the Django request/response chain.
- Returns:
The HTTP response object, or a 403 Forbidden response if the request is blocked.
- Return type:
django.http.HttpResponse or django.http.HttpResponseForbidden