Repository files navigation

vgs-django-pii-sample

Sample of using VGS for securing PII data(Django).

This demo app demonstrates a typical scenario for secure/revealing traffic from customer application to a payments operator.

• InstalledDocker
• Installedngrok
• Account oncheckr.com

1. Clone this repository
2. Ensure bothINBOUND_ROUTE andOUTBOUND_ROUTE inidVerification/settings.py are empty.2.1 EnsureVGS_INBOUND_URL indocker-compose.yml is set tohttp://vgs-django-sample:8000.Why we use Nginx
3. Set yourCHECKER_API_KEY indocker-compose.yml
4. Runrerun.sh script

Application will be started in a Docker container and available athttp://localhost:8001/app/

Before integrating with VGS, the application works but it stores all PII (Peronsally identifiable information) data in storage.

1. Forcengrok to specify a fixed host name via the command-line-host-header flag:

ngrok http -bind-tls=true -subdomain=vgssl5 -host-header=${VGS_TENANT_IDENTIFER}.sandbox.verygoodproxy.com 8000

NOTE: Can also simply create a random subdomain without using the static paid feature above forngrok

ngrok http 8000

2. Please set the follow flag in django’ssettings.py:

ALLOWED_HOSTS= ['localhost','.verygoodproxy.com']

Once these configurations are set,ngrok anddjango play nicely together.

To make the local application visible from internet run ngrokngrok http 8000(not8001 - used by Nginx). Use ngrok URI for setting up inbound route.

1. Go toVGS-Dashboard, create a new organization, create a new vault. This is where we will store PII data.
2. Setupinboud traffic protection:
   • go toRoutes
   • create new inbound route:Add new route ->New inbound route
   • setUpstream Host to thengrok endpoint from above (e.g.https://<some id>.ngrok.io -> localhost:8000)
3. Setup redact on request filter to protected our system from storing PII data in our DB:
   • Conditions:
     • HTTP MethodequalsPOST
     • Pathinfoequals/app/add
   • PhaseOn request
   • REDACT
   • Form
     • Fields in FormData
       • SSN
       • driver_license_number
   • leave all other fields with by default value
4. To make data readable for the customer who owns this data, letsAdd filter, that will reveal PII data in client's response:
   • add new filter in theinbound route
   • Conditions:
     • Pathinfobegins with/app/api/data
     • HTTP MethodequalsGET
     • ContentTypeequalsapplication/json
   • PhaseOn response
   • REVEAL
   • Json
     • Fields in JSON path
       • $.social_security_number
       • $.driver_license_number
   • leave all other fields with by default value
5. ClickSave button and check result ofInbound routes creation inRoutes.

6. Setupoutbound route for processing original data oncheckr.com.

   • go toRoutes
   • create new outbound route:Add new route ->New outbound route
   • setUpstream Host withcheckr API hostapi.checkr.com

7. Setup filter for revealing PII data in client's request toCheckr:

   • Conditions:
     • Pathinfoequals/v1/candidates
     • HTTP MethodequalsPOST
   • PhaseOn request
   • REVEAL
   • Json
   • Fields in JSON path
     • $.ssn
     • $.driver_license_number
   • leave all other field values as is

8. To get rid of storing user's PII data fromCheckr service response add newREDACTon response filter in theoutbound route

   • Conditions:
     • Pathinfoequals/v1/candidates
   • PhaseOn response
   • REDACT
   • Json
   • Fields in JSON path
     • $.ssn
     • $.driver_license_number

9. ClickSave button and check the result ofOutbound routes creation inRoutes.

10. UseVault URLs it in our app:

• copy the URLSdocker-compose.ymlWhy we use Nginx

INBOUND_ROUTE='https://tntdbopmilp.SANDBOX.verygoodproxy.com' #inbound

and to/idVerification/settings.py

OUTBOUND_ROUTE='https://US2yjMXkaJddDpxSCj1BCFb7:056c520b-5564-4750-bb96-d774104090e0@tntdbopmilp.SANDBOX.verygoodproxy.com:8080' #outbound

11. Our app is now secured by VGS. Lets check it out.

• restartrerun.sh script
• go tohttp://localhost:8001/app/
• add new data using UI form
• go to data original view and try to check it onCheckr service

Sample application hasCSRF protection. Protection based on 2 tockens that generated/verified by Django server. One of them stores in browser cookies, so we need same host for django server and VGS proxy to allow browser add CSRF cookie to VGS proxy request.

How it works:

Want to just jump right in? Check out ourgetting startedguide.

Very Good Security (VGS) allows you to enhance your security standing whilemaintaining the utility of your data internally and with third-parties. As anadded benefit, we accelerate your compliance certification process and help youquickly obtain security-related compliances that stand between you and yourmarket opportunities.

To learn more, visit us athttps://www.verygoodsecurity.com/

This project is licensed under the MIT license. See theLICENSE filefor details.