Python Security Best Practices — Protect Your Applications
Most Python tutorials skip security entirely. Then you ship code with hardcoded secrets, SQL injection holes, and dependencies with known CVEs. This guide covers the security practices that every Python developer should know — from input validation to encryption to secure deployment.
No paranoia, no FUD — just practical patterns that prevent real attacks.
1. Input Validation — Trust Nothing
Every external input is a potential attack vector. Validate early, validate strictly.
Pydantic for structured validation
from pydantic import BaseModel, Field, EmailStr, field_validator
import re
class UserRegistration(BaseModel):
"""Validates user input — rejects anything suspicious."""
username: str = Field(..., min_length=3, max_length=30)
email: EmailStr
password: str = Field(..., min_length=12)
age: int = Field(..., ge=13, le=150)
@field_validator("username")
@classmethod
def username_safe(cls, v):
if not re.match(r"^[a-zA-Z0-9_-]+$", v):
raise ValueError("Username: only letters, numbers, _, -")
return v
@field_validator("password")
@classmethod
def password_strength(cls, v):
checks = [
(r"[A-Z]", "one uppercase letter"),
(r"[a-z]", "one lowercase letter"),
(r"[0-9]", "one digit"),
(r"[!@#$%^&*(),.?\":{}|<>]", "one special character"),
]
missing = [msg for pattern, msg in checks if not re.search(pattern, v)]
if missing:
raise ValueError(f"Password needs: {', '.join(missing)}")
return v
# Usage — invalid data raises ValidationError with details
try:
user = UserRegistration(
username="alice