The latest articles on Forem by Matteo Vitali (@trottomv). https://forem.com/trottomv https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2734053%2F003bdc72-a559-4656-a88d-6acd76a42996.jpg https://forem.com/trottomv en Matteo Vitali Sun, 13 Jul 2025 06:52:39 +0000 https://forem.com/trottomv/ai-agent-observability-with-opentelemetry-and-grafana-lgtm-4m57 https://forem.com/trottomv/ai-agent-observability-with-opentelemetry-and-grafana-lgtm-4m57 <p>AI is powerful. But why does observing it matter?</p> <p>AI agents are becoming more and more common in production. However, they often behave like black boxes: we send a prompt, we get a response… but what happens in between?</p> <p>In this post, I’ll show why instrumenting AI agents matters more than ever, using open source tools like OpenTelemetry and the Grafana LGTM stack — that is, Loki, Grafana, Tempo, and Mimir (and yes, also “Looks Good To Me”! 😉).</p> <h1> The challenge </h1> <p><strong>LLMs and AI agents are 'black boxes' systems:</strong></p> <ul> <li>Complex, <strong>non-deterministic</strong> behavior</li> <li>Internal <strong>'reasoning' is invisible at runtime</strong> </li> <li> <strong>Hard to explain</strong>, trust, or debug <strong>outputs</strong> </li> </ul> <p>🛡️ “You can’t govern or secure what you can’t observe.” (semicit.)</p> <h1> An open standards-based approach </h1> <p><strong>The OWASP Agent Observability Standard (AOS)</strong></p> <p><a href="https://aos.owasp.org" rel="noopener noreferrer">OWASP AOS</a> wants to bring standardized observability to AI systems:<br> Mission: Transform AI agents from black boxes into trustworthy systems through standardized observability.</p> <ul> <li> <strong>Instrumentation</strong> – via OpenTelemetry</li> <li> <strong>Traceability</strong> – end-to-end execution flow</li> <li> <strong>Inspectability</strong> – insights on inner workings</li> </ul> <h2> OpenTelemetry </h2> <p><a href="https://opentelemetry.io/" rel="noopener noreferrer">OpenTelemetry</a> is a CNCF project that provides a standardized framework for telemetry:</p> <ul> <li> <strong>Logs</strong> (timestamped events)</li> <li> <strong>Metrics</strong> (numerical KPIs)</li> <li> <strong>Traces</strong> (end-to-end execution paths)</li> </ul> <p>It supports manual and auto instrumentation, and works with many backends — including the Grafana LGTM stack.</p> <h3> 💻 Manual instrumentation (code based) </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>from openai import OpenAI from opentelemetry.instrumentation.openai_v2 import OpenAIInstrumentor OpenAIInstrumentor().instrument() client = OpenAI() response = client.chat.completions.create( model="gpt-4o-mini", messages=[ { "role": "user", "content": "Write a short poem on OpenTelemetry." } ], ) </code></pre> </div> <h3> ⚡ Auto instrumentation (zero code) </h3> <p>Alternatively, you can automatically instrument a Python app with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>FROM python:3.13-alpine ENV OTEL_EXPORTER_OTLP_ENDPOINT=otel-collector:4317 RUN pip install --no-cache-dir \ fastapi \ opentelemetry-distro \ opentelemetry-instrumentation COPY main.py . CMD ["opentelemetry-instrument", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"] </code></pre> </div> <h3> 📦 The OpenTelemetry Collector </h3> <p>A key component for managing telemetry data<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>receivers: otlp: protocols: grpc: endpoint: 0.0.0.0:4317 http: endpoint: 0.0.0.0:4318 hostmetrics: # otel-collector-contrib root_path: "/hostfs" collection_interval: 10s processors: batch: resourcedetection: detectors: ["env", "system"] exporters: otlp/traces: endpoint: tempo:4317 otlphttp/metrics: endpoint: http://mimir:9009/otlp otlphttp/logs: endpoint: http://loki:3100/otlp service: pipelines: traces: receivers: [otlp] processors: [batch, resourcedetection] exporters: [otlp/traces] metrics: receivers: [otlp, hostmetrics] processors: [batch, resourcedetection] exporters: [otlphttp/metrics] logs: receivers: [otlp] processors: [batch, resourcedetection] exporters: [otlphttp/logs] </code></pre> </div> <h2> Observability with OpenTelemetry and Grafana LGTM </h2> <p>Once data flows through the collector, the <a href="https://grafana.com/" rel="noopener noreferrer">Grafana</a> LGTM stack lets you explore:</p> <ul> <li>Logs in Loki</li> <li>Metrics in Mimir</li> <li>Traces in Tempo</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6djsagnglbv11zadn5ne.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6djsagnglbv11zadn5ne.png" alt=" " width="748" height="782"></a></p> <h2> PydanticAI agent instrumentation </h2> <p><a href="https://ai.pydantic.dev/" rel="noopener noreferrer">PydanticAI</a> is a Pythonic AI agent framework with native OpenTelemetry support<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>from pydantic_ai import Agent agent = Agent( 'google-gla:gemini-2.0-flash', system_prompt='Be concise, reply with one sentence.', instrument=True, ) result = agent.run_sync('Where does "hello world" come from?') print(result.output) </code></pre> </div> <h1> 📈 Inspect telemetry data </h1> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdtzgifnqre5a9ilrowzq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fdtzgifnqre5a9ilrowzq.png" alt=" " width="800" height="450"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbiysnx2uiiqmuy9iivxb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbiysnx2uiiqmuy9iivxb.png" alt=" " width="800" height="450"></a></p> <h1> 🤔 Final thoughts &amp; takeaways </h1> <p>Even the simplest “hello world” AI agent can be observed via metrics and traces, revealing how complex and resource-hungry LLM calls are,<br> benefit from structured observability for debugging and trust building.</p> <ul> <li> <strong>No business, No logic</strong> The AI agent is kept intentionally simple — a basic “hello world” — because the primary goal is to validate the power of observability in the context of agentic AI, not to showcase advanced intelligence.</li> <li> <strong>Analytical and empirical evaluation</strong> With OpenTelemetry and Grafana, it's possible to analyze the agent both quantitatively (through metrics and traces) and qualitatively (by observing its flow), demonstrating the real value of observability in monitoring and understanding AI systems.</li> <li> <strong>Conscious use of AI – Sometimes “a cannon is too much for a fly”</strong> Even a minimal AI agent benefits greatly from structured observability — it’s essential for understanding, debugging, and building trust. At the same time, it reveals a key insight: generating trivial output can come with a high computational cost, especially when relying on LLMs.</li> </ul> aiops observability opentelemetry grafana Matteo Vitali Sat, 10 May 2025 07:46:16 +0000 https://forem.com/trottomv/secure-by-design-in-python-a-fastapi-app-with-5-devsecops-tools-and-a-real-time-ssti-vulnerability-2e6n https://forem.com/trottomv/secure-by-design-in-python-a-fastapi-app-with-5-devsecops-tools-and-a-real-time-ssti-vulnerability-2e6n <h2> 🌟 Introduction </h2> <p>Security should not be an afterthought in software development. Instead, it should be a core principle baked into your design, code, and CI/CD workflows. <br> To demonstrate this approach, I've created an intentionally insecure FastAPI app as a playground. </p> <p><a href="https://github.com/trottomv/python-insecure-app" rel="noopener noreferrer">https://github.com/trottomv/python-insecure-app</a></p> <p>In this post, we'll walk through:</p> <ul> <li>5 open-source security tools (SCA, SAST, DAST, container scanning, API fuzzing)</li> <li>How they help uncover vulnerabilities</li> <li>How to remediate a <strong>real Server-Side Template Injection (SSTI)</strong> vulnerability in FastAPI</li> </ul> <p>Let's dive in 👇</p> <h2> 1️pip-audit: Python dependency vulnerability scanning </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip-audit </code></pre> </div> <p>This tool checks for known vulnerabilities in your Python dependencies using safety-db or PyPI advisories. It's simple, fast, and effective.</p> <p>Sample output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>jinja2 3.0.0 CVE-2022-XXXXX Template injection possible </code></pre> </div> <p><strong>Remediation:</strong></p> <ul> <li>Upgrade the affected package if a patched version is available</li> <li>Pin versions in <code>requirements.txt</code> </li> </ul> <h2> 2️Bandit: static code analysis (SAST) for Python </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bandit <span class="nb">.</span> </code></pre> </div> <p>Bandit performs static analysis on Python code to find common security issues like:</p> <ul> <li>Use of dangerous functions (<code>eval</code>, <code>exec</code>, etc.)</li> <li>Hardcoded passwords or secrets</li> <li>Insecure file handling</li> <li>External calls with <code>requests</code> without a timeout — which may lead to denial of service if the remote server hangs</li> </ul> <p><strong>But:</strong> Bandit currently <strong>does not detect Server-Side Template Injection (SSTI)</strong>, even when using jinja2 templates unsafely.</p> <p>Reference: <a href="https://github.com/PyCQA/bandit/issues/517" rel="noopener noreferrer">Issue #728</a></p> <p>This shows a limitation of SAST — it's useful, but <strong>not sufficient alone</strong>.</p> <h2> 3️Schemathesis: API fuzzing from OpenAPI schemas </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>schemathesis run http://localhost:8000/openapi.json </code></pre> </div> <p>Schemathesis generates test cases based on your OpenAPI schema and runs fuzzing-like checks on all endpoints.</p> <p>Benefits:</p> <ul> <li>Detects unexpected 500s and unhandled edge cases</li> <li>Validates assumptions in your parameter handling</li> </ul> <p>In our demo, this helped uncover inconsistent behavior in the root <code>/</code> endpoint, especially with template injection payloads.</p> <h2> 4️Trivy: container image vulnerability scanner </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>trivy image trottomv/python-insecure-app </code></pre> </div> <p>Trivy scans for:</p> <ul> <li>OS package vulnerabilities (APT, APK, etc.)</li> <li>Python dependency CVEs</li> <li>Misconfigurations</li> </ul> <p><strong>Hardening tips:</strong></p> <ul> <li>Use <code>python:3.12-slim</code> or smaller base images</li> <li>Avoid running as root (<code>USER app</code>)</li> <li>Consider introduce distroless approach</li> </ul> <p>Bonus: Trivy also outputs SBOMs for compliance.</p> <h2> 5️OWASP ZAP: dynamic app security testing (DAST) </h2> <p>ZAP acts as a proxy or scanner against your running app (e.g. FastAPI on <code>localhost:8000</code>).</p> <p>In our case, <strong>ZAP successfully discovered a Server-Side Template Injection (SSTI)</strong> vulnerability:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /?name={{7*6}} → "Hello 42!" </span></code></pre> </div> <p>This issue was <strong>not detected by Bandit</strong>, highlighting the importance of dynamic analysis.</p> <h2> 🛠️ Remediation: fixing the SSTI in FastAPI </h2> <p><strong>Vulnerable code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">HTMLResponse</span> <span class="kn">from</span> <span class="n">jinja2</span> <span class="kn">import</span> <span class="n">Template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_class</span><span class="o">=</span><span class="n">HTMLResponse</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">try_hack_me</span><span class="p">(</span><span class="n">name</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">John Ripper</span><span class="sh">"</span><span class="p">):</span> <span class="n">content</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">&lt;h1&gt;Hello, </span><span class="si">{</span><span class="n">name</span><span class="si">}</span><span class="s">!&lt;/h1&gt;</span><span class="sh">"</span> <span class="k">return</span> <span class="nc">Template</span><span class="p">(</span><span class="n">content</span><span class="p">).</span><span class="nf">render</span><span class="p">()</span> </code></pre> </div> <p>Why it's dangerous:</p> <ul> <li> <code>Template(content).render()</code> evaluates the string using Jinja2, which allows remote code execution if input is unsanitized</li> </ul> <p><strong>Secure fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># main.py </span><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span> <span class="kn">from</span> <span class="n">fastapi.responses</span> <span class="kn">import</span> <span class="n">HTMLResponse</span> <span class="kn">from</span> <span class="n">jinja2</span> <span class="kn">import</span> <span class="n">Template</span> <span class="n">app</span> <span class="o">=</span> <span class="nc">FastAPI</span><span class="p">()</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">,</span> <span class="n">response_class</span><span class="o">=</span><span class="n">HTMLResponse</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">try_hack_me</span><span class="p">(</span><span class="n">name</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">John Ripper</span><span class="sh">"</span><span class="p">):</span> <span class="n">content</span> <span class="o">=</span> <span class="sh">"</span><span class="s">&lt;h1&gt;Hello, {{name}}!&lt;/h1&gt;</span><span class="sh">"</span> <span class="k">return</span> <span class="nc">Template</span><span class="p">(</span><span class="n">content</span><span class="p">).</span><span class="nf">render</span><span class="p">(</span><span class="n">name</span><span class="o">=</span><span class="n">name</span><span class="p">)</span> </code></pre> </div> <p><strong>Test it:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># tests.py </span><span class="kn">from</span> <span class="n">fastapi.testclient</span> <span class="kn">import</span> <span class="n">TestClient</span> <span class="kn">from</span> <span class="n">main</span> <span class="kn">import</span> <span class="n">app</span> <span class="n">client</span> <span class="o">=</span> <span class="nc">TestClient</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="k">def</span> <span class="nf">test_root</span><span class="p">():</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/?name={{7*6}}</span><span class="sh">"</span><span class="p">)</span> <span class="k">assert</span> <span class="n">response</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">200</span> <span class="k">assert</span> <span class="sh">"</span><span class="s">42</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">.</span><span class="nf">decode</span><span class="p">()</span> </code></pre> </div> <h2> ✅ Conclusion </h2> <p>Security is not a tool — it's a mindset and a workflow.</p> <p>Combining:</p> <ul> <li> <code>pip-audit</code> for software composition analysis</li> <li> <code>bandit</code> for static code issues</li> <li> <code>schemathesis</code> for fuzzing testing on APIs</li> <li> <code>trivy</code> for vulnerability scanning and SBOMs generation on artifacts</li> <li> <code>zap</code> for dynamic runtime scanning</li> </ul> <p>...provides <strong>layered defense</strong>. Fixing real issues like SSTI shows how practical this approach is.</p> <p>If you're curious:</p> <ul> <li>🌐 Try the <a href="https://github.com/trottomv/python-insecure-app" rel="noopener noreferrer">demo app</a> </li> <li>✏️ Suggest improvements or contribute new findings</li> <li>🚀 Integrate these tools in your next CI/CD pipeline</li> </ul> <p>Stay secure ✨</p> python devsecops security webdev Matteo Vitali Sun, 19 Jan 2025 08:46:39 +0000 https://forem.com/trottomv/boost-your-django-projectss-security-with-proper-cache-control-on-views-546k https://forem.com/trottomv/boost-your-django-projectss-security-with-proper-cache-control-on-views-546k <p>Caching is great for performance, but sensitive data must never be cached! In Django, properly configuring Cache Control on your views ensures secure handling of sensitive content, such as login pages or user-specific data.</p> <p><strong>🔒 Why is Cache Control important?</strong><br> Without proper cache settings, sensitive data may be stored in the user's browser or intermediary proxies, exposing it to potential risks.</p> <p><strong>💡 How to configure Cache Control in Django?</strong><br> You can use the <code>@never_cache</code> decorator on function-based views to prevent them from being cached (as mentioned in the <a href="https://docs.djangoproject.com/en/5.1/topics/http/decorators/#django.views.decorators.cache.never_cache" rel="noopener noreferrer">official documentation</a>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">django.views.decorators.cache</span> <span class="kn">import</span> <span class="n">never_cache</span> <span class="nd">@never_cache</span> <span class="k">def</span> <span class="nf">my_secure_view</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> <span class="c1"># Your secure logic here </span> <span class="k">return</span> <span class="nc">HttpResponse</span><span class="p">(</span><span class="sh">"</span><span class="s">This page is protected from caching!</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>But what if you want to reuse this logic across multiple class-based views? <strong>You can create a reusable mixin</strong> for this purpose!<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># myproject/views.py </span> <span class="kn">from</span> <span class="n">django.contrib.auth.mixins</span> <span class="kn">import</span> <span class="n">LoginRequiredMixin</span> <span class="kn">from</span> <span class="n">django.utils.decorators</span> <span class="kn">import</span> <span class="n">method_decorator</span> <span class="kn">from</span> <span class="n">django.views.decorators.cache</span> <span class="kn">import</span> <span class="n">never_cache</span> <span class="nd">@method_decorator</span><span class="p">(</span><span class="n">never_cache</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">dispatch</span><span class="sh">"</span><span class="p">)</span> <span class="k">class</span> <span class="nc">PrivateAreaMixin</span><span class="p">(</span><span class="n">LoginRequiredMixin</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Override LoginRequiredMixin by adding Cache-Control rules.</span><span class="sh">"""</span> </code></pre> </div> <p>With this mixin, securing your class-based views becomes much simpler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># myapp/views.py </span> <span class="kn">from</span> <span class="n">django.views.generic</span> <span class="kn">import</span> <span class="n">TemplateView</span> <span class="kn">from</span> <span class="n">myproject.views</span> <span class="kn">import</span> <span class="n">PrivateAreaMixin</span> <span class="k">class</span> <span class="nc">IndexView</span><span class="p">(</span><span class="n">PrivateAreaMixin</span><span class="p">,</span> <span class="n">TemplateView</span><span class="p">):</span> <span class="sh">"""</span><span class="s">The index view.</span><span class="sh">"""</span> <span class="n">template_name</span> <span class="o">=</span> <span class="sh">"</span><span class="s">index.html</span><span class="sh">"</span> </code></pre> </div> <p><strong>🛠 Testing the Implementation</strong><br> Testing is crucial to ensure everything works as expected. Here's how you can test the <code>PrivateAreaMixin</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># myproject/tests/test_views.py </span> <span class="kn">from</span> <span class="n">django.test</span> <span class="kn">import</span> <span class="n">TestCase</span><span class="p">,</span> <span class="n">RequestFactory</span> <span class="kn">from</span> <span class="n">django.contrib.auth.models</span> <span class="kn">import</span> <span class="n">AnonymousUser</span> <span class="kn">from</span> <span class="n">django.contrib.auth</span> <span class="kn">import</span> <span class="n">get_user_model</span> <span class="kn">from</span> <span class="n">django.http</span> <span class="kn">import</span> <span class="n">HttpResponse</span> <span class="kn">from</span> <span class="n">django.views</span> <span class="kn">import</span> <span class="n">View</span> <span class="kn">from</span> <span class="n">myproject.views</span> <span class="kn">import</span> <span class="n">PrivateAreaMixin</span> <span class="k">class</span> <span class="nc">PrivateAreaMixinTest</span><span class="p">(</span><span class="n">TestCase</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Test private area Cache-Control override.</span><span class="sh">"""</span> <span class="n">factory</span> <span class="o">=</span> <span class="nc">RequestFactory</span><span class="p">()</span> <span class="nd">@classmethod</span> <span class="k">def</span> <span class="nf">setUpTestData</span><span class="p">(</span><span class="n">cls</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Initialize test data.</span><span class="sh">"""</span> <span class="n">cls</span><span class="p">.</span><span class="n">user</span> <span class="o">=</span> <span class="nf">get_user_model</span><span class="p">().</span><span class="n">objects</span><span class="p">.</span><span class="nf">create_user</span><span class="p">(</span> <span class="n">username</span><span class="o">=</span><span class="sh">"</span><span class="s">testuser</span><span class="sh">"</span><span class="p">,</span> <span class="n">email</span><span class="o">=</span><span class="sh">"</span><span class="s">user@test.xyz</span><span class="sh">"</span><span class="p">,</span> <span class="n">password</span><span class="o">=</span><span class="sh">"</span><span class="s">5tr0ngP4ssW0rd</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">test_login_required_with_cache_control</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Test login required and Cache-Control dispatched.</span><span class="sh">"""</span> <span class="k">class</span> <span class="nc">AView</span><span class="p">(</span><span class="n">PrivateAreaMixin</span><span class="p">,</span> <span class="n">View</span><span class="p">):</span> <span class="k">def</span> <span class="nf">get</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> <span class="k">return</span> <span class="nc">HttpResponse</span><span class="p">()</span> <span class="n">view</span> <span class="o">=</span> <span class="n">AView</span><span class="p">.</span><span class="nf">as_view</span><span class="p">()</span> <span class="c1"># Test redirect for anonymous users </span> <span class="n">request</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">factory</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="n">request</span><span class="p">.</span><span class="n">user</span> <span class="o">=</span> <span class="nc">AnonymousUser</span><span class="p">()</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">view</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">assertEqual</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">,</span> <span class="mi">302</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">assertEqual</span><span class="p">(</span><span class="sh">"</span><span class="s">/accounts/login/?next=/</span><span class="sh">"</span><span class="p">,</span> <span class="n">response</span><span class="p">.</span><span class="n">url</span><span class="p">)</span> <span class="c1"># Test authenticated user and cache control headers </span> <span class="n">request</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">factory</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">/</span><span class="sh">"</span><span class="p">)</span> <span class="n">request</span><span class="p">.</span><span class="n">user</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">user</span> <span class="n">response</span> <span class="o">=</span> <span class="nf">view</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">assertEqual</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">status_code</span><span class="p">,</span> <span class="mi">200</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">assertIn</span><span class="p">(</span><span class="sh">"</span><span class="s">Cache-Control</span><span class="sh">"</span><span class="p">,</span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">)</span> <span class="n">self</span><span class="p">.</span><span class="nf">assertEqual</span><span class="p">(</span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">Cache-Control</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">max-age=0, no-cache, no-store, must-revalidate, private</span><span class="sh">"</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p><strong>🔥 Best Practice Tip:</strong><br> Using <code>@never_cache</code> with a mixin like <code>PrivateAreaMixin</code> makes your code reusable and clean. Combined with rigorous testing, this ensures your sensitive views remain secure and aligned with best practices.</p> <p>How do you handle caching and sensitive data in your Django projects?</p> <p><em>Update:</em><br> I’m excited to share that I’ve developed a new package, <a href="https://pypi.org/project/django-never-cache/" rel="noopener noreferrer">django-never-cache</a>, inspired by the concepts expressed in this post.</p> <p>This lightweight package simplifies applying Cache-Control rules to sensitive views by providing reusable utilities like mixins, middlewares and decorators. It is designed to make securing Django applications easier.</p> <p>Check it out on GitHub: <a href="https://github.com/trottomv/django-never-cache" rel="noopener noreferrer">https://github.com/trottomv/django-never-cache</a></p> <p>Feel free to try it out, share feedback, or even contribute to its development. 🚀</p> django cache webdev python