You're reading from Jupyter Cookbook
Web security is concerned with assets or information that you have exposed on the internet via a web application.
In this chapter, we investigate the various security mechanisms available for our Jupyter Notebook.
An application would need more security if critical or personal information were used on it; for example, credit cards. At the other end of the spectrum would be a site that is only providing information that is generally known.
In the case of a Jupyter application, you have to make that decision. Is the application or data being exposed of high importance to your company or project? There are many Jupyter applications (or web applications in general) that do not require a high degree of security as the information/algorithms being used are generally known.
Jupyter has a variety of security mechanisms available depending on your needs, which we'll discuss in the following points.
Authentication is the process of proving that the user is as originally presented.
Jupyter can use:
- Token-based authentication
- Password authentication
- No authentication
Current versions of Jupyter use token-based authentication by default. If you enable password protection for your application (the typical username and password that you have seen many times), then token-based authentication is disabled.
Token-based authentication is where a token is exchanged for all of a user's requests and it must be present in order for any user request to proceed into your application. For example:
- User K connects to your application
- The response from the application has a built-in token that is generated automatically and passed using web headers in the response
- As the application is running in such a web server...
Along the same lines, if you were to determine that the contents of your Notebook are valuable, you may want to use SSL to encrypt all transmissions between your Notebook. At a minimum, then, any authentication information will be encrypted as well and this will prevent hijacking.
A well-known service for providing free SSL certificates is Let's Encrypt (https://letsencrypt.org/). Let's take a look at how to create and apply an SSL certificate in the following sections.
You can create a certificate using openssl
with this command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mykey.key -out mycert.pem
Where the several options specified are as follows:
-x509
: We are using x509 protocol-days 365
: Good for one year-newkey
: We are generating a new keyrsa:2048
: Use the 2,048-bit RSA algorithm-keyout
: Location to place the key-out
: Location to place the certificate
Jupyter has specific parts of the application that are trusted or not:
- Untrusted HTML is always sanitized
- Untrusted JavaScript is never executed
- HTML and JavaScript in Markdown cells are never trusted
- Outputs generated by the user are trusted
- Any other HTML or JavaScript (in Markdown cells or output generated by others) is never trusted
Sanitized, untrusted coding is crippled by not allowing access to resources, such as accessing the internet. This can be a problem as many applications would naturally store JavaScript and/or actionable CSS in cells that are not visible to the user but would be crippled as part of the trust model.
Jupyter develops trust for an application by comparing digital signatures. When a Notebook is stored, a digital signature is made using the contents of the Notebook and a secret. The digital signature is stored on a disk accessible by the server. Then, whenever a Notebook is accessed, the signature is regenerated and compared to the stored value...
A Jupyter Notebook can control what domains can originate requests to Jupyter and/or what IP addresses can access the Notebook.
By default, notebooks allow for localhost access to a Notebook.
It typically means only you can access your Notebook on your machine. This is enforced with the following parameters in the configuration file:
c.NotebookApp.allow_origin = '' c.NotebookApp.ip = 'localhost'
There are several miscellaneous steps that can be taken to further the security of your system.
Let us take a look at some of the ways to enhance the security of our system in the following sections.
You can specify the IP address to be used by your Notebook rather than using the default. Many hacking scenarios count on you using default values, such as the port, to quickly acquire targets.
The IP address used by the Notebook can be changed with this configuration command:
c.NotebookApp.port = 9732
Note that once you determine the port for Jupyter, you need to apply the filter to your firewall so that communication to the Notebook will get through.