Forums

Data security and general Pythonanywhere queries

The users of my website are a bit concerned about data security. Could you please forward me some information on what PythonAnywhere does to ensure the security of data that I can send to my users?

If they wanted to move the application from PythonAnywhere to any other hosting site, is that possible? What would be needed for that?

Thanks!

Beloved premium user amritha | 74 posts | Feb. 26, 2015, 10:29 p.m. | permalink

Hi amritha,

Do you mean security as in how to keep proprietary source code private, or how to keep data in say a mysql data from leaking, or how to keep your PythonAnywhere dev account from being accessed by malicious users, or web app specific stuff like MITM etc?

Not sure about the structure of your application, but moving it to another hosting site would probably just involve git cloning, doing a db dump and say rsyncing it over, and then making sure you have the configurations at the other hosting site set up correctly.

Conrad

Staff conrad | 4232 posts | PythonAnywhere staff | Feb. 27, 2015, 12:27 p.m. | permalink

HI Conrad, They want to know about data security with regard to all of the above - proprietary source code private, or how to keep data in say a mysql data from leaking, or how to keep your PythonAnywhere dev account from being accessed by malicious users, or web app specific stuff like MITM. If you could please forward me some information about each of them, it will be great. Thanks!

Thanks for the info about moving to another hosting site.

Beloved premium user amritha | 74 posts | Feb. 28, 2015, 3:44 a.m. | permalink

Hi amritha -- we'll get back to you about this on Monday.

Staff giles | 12085 posts | PythonAnywhere staff | Feb. 28, 2015, 6:28 p.m. | permalink

Hi amritha,

So, here are some answers:

  • Your source code and other files are held on EBS volumes on Amazon Web Services. Each volume is shared between a number of PythonAnywhere users. They are kept separate using Linux's chroot system -- each user can see only the files in their own section of the disk. (This is the same technology used by Docker and Linux containers.) The files can in theory be viewed by PythonAnywhere staff, but we have internal procedures in place to make sure this only happens with your explicit permission, except in emergencies or when required by law enforcement. Our terms and conditions have the legal details.
  • Your MySQL data is held on a MySQL server that is also shared between a number of our customers. Security settings are set up so that no user has any access to any other users' data. So long as you use a long, secure password for your database access, your data stored there should be safe. PythonAnywhere staff, again, can access the data, but we will not do so without your permission, as per our T&Cs.
  • Postgres databases are not shared, each user has their own instance. These run on shared servers, inside Docker containers.
  • Keeping your PythonAnywhere account secure: use a long, secure password, and a recent browser. We use various techniques to minimise the chances of anyone getting access to your account -- for example, HTTPS-only access to our site with strict transport security to prevent HTTPS downgrade attacks. If you're using (eg.) the latest Chrome, then all of those features will be active.
  • Web app security: the best thing you can do is set your app to run in HTTPS only. There are some per-framework hints here. If you're running on your own domain (ie. not yourusername.pythonanywhere.com) then you'll also need to get an SSL certificate and provide it to us so that we can use that when we serve your site.

I hope that all helps. If you have any followup questions, just let us know.

Staff giles | 12085 posts | PythonAnywhere staff | March 2, 2015, 12:40 p.m. | permalink

Thanks a lot! Will let you know if they have any more questions.

Beloved premium user amritha | 74 posts | March 2, 2015, 4:56 p.m. | permalink

hi Giles, Is my MySQL database on Pythonanywhere a Postgres database? If not, does each user still get their own instance?

Thanks, Amritha

Beloved premium user amritha | 74 posts | March 16, 2015, 4:20 p.m. | permalink

No, the MySQL database is a MySQL database on a shared server. There is an option to have a Postgres database, that is your own containerised Postgres instance (it's still on a shared machine, but the database instances isolated)

Staff glenn | 9718 posts | PythonAnywhere staff | March 16, 2015, 5:03 p.m. | permalink

hi, the domain name for our website is provided by HostCentric. They are recommending we buy SiteLock for added security. Before I do that, can you please tell me which of the below features PythonAnywhere provides us?

Malware scanning/removal Block automated bot attacks Vulnerability scanning/remediation Web Application Firewall

Beloved premium user amritha | 74 posts | July 17, 2015, 6:22 p.m. | permalink

Hi there, we don't provide anything like that -- at least as far as I understand what they mean. It sounds like slightly spammy security marketing FUD to me to be honest.

I can't make security decisions for you, but I'd encourage you to make sure you understand exactly what each one of those things are, and what they can do for you, before you make any decisions.

We're pretty confident in our existing security measures, as outlined in giles' post above. Of course we're always open to suggestions about how we could improve things, so if you have any specific ideas, do let us know and we can look into it, or maybe answer in more detail. And, naturally, if there are any security researchers out there that spot particular vulnerabilities, do give us a shout via developers@pythonanywhere.com.

Staff harry | 2710 posts | PythonAnywhere staff | July 18, 2015, 2:49 p.m. | permalink