Adding /admin/ as a wink to Django developers

Written by Adrian Holovaty on June 3, 2013

We've intentionally never put anything in Django that identifies the framework. There are no custom X-Generated-By headers, no hard-coded "Powered by Django" default templates -- no reliable way for a user of a site to know whether that site uses Django behind the scenes.

Back in the day, Django's session cookie was called "hotclub" by default (a reference to the name of Django Reinhardt's band, the Quintette du Hot Club de France), and checking for a presence of that cookie was a reasonable way of seeing whether a site used Django. But we changed the default on that back in 2005 because "hotclub" had been misinterpreted by some people as having some sort of porn-site meaning. :-)

I've always considered this anonymity a sign of a good framework -- Django stays out of the way and doesn't insert cruft -- but in some cases, I really want to know whether a site uses Django! In those cases, my usual plan is to go to /admin/ and see whether I get the classic Django admin login screen.

This isn't a perfect technique, because there's no guarantee that the site (a) uses the Django admin or (b) hooks it to /admin/ as opposed to some other URL. But it's pretty decent.

And that brings me to revealing an easter egg I've put in various sites over the years: the /admin/ redirect. I'm proud of the framework and want people to know that my sites use it, but I haven't used the Django admin on a site since working for washingtonpost.com back in 2007! So I implement /admin/ in my sites -- but only as a redirect...to the Django admin documentation. :-)

Hit holovaty.com/admin or soundslice.com/admin to see what I mean.

If you're looking for a way to send a wink to your fellow Django developers, here's how you can do it in your own urls.py:

from django.views.generic import RedirectView
from django.conf.urls import patterns, url

ADMIN_URL = 'https://docs.djangoproject.com/en/dev/ref/contrib/admin/'

urlpatterns = patterns('',
    # ...
    ('^admin/$', RedirectView.as_view(url=ADMIN_URL)),
)

If you do actually use the Django admin, just hook it to a separate URL. This gives you a tiny little benefit of security-by-obscurity.

Happy easter egging!

Comments

Posted by Alex Gaynor on June 3, 2013 at 11:52 a.m.:

A more pro-level trick is to figure out where their site media root would be and look for the admin media there. There's also https://github.com/mitsuhiko/probe which picks up on some crazy subtle things.

Posted by Adrian Holovaty on June 3, 2013 at 11:54 a.m.:

Nice idea to look for the admin media! Of course, that wouldn't catch sites like Soundslice that don't use the admin. :-)

Posted by Dmitry on June 3, 2013 at noon:

I personally like this approach: https://github.com/dmpayton/django-admin-honeypot

Posted by Andy Theyers on June 3, 2013 at 12:33 p.m.:

I've always found the CSRF token to be a good Django identifier.

Posted by Shabda Raaj on June 3, 2013 at 9:15 p.m.:

There are a bunch of other giveaway:

1. As andy mentioned CSRF token - can be changed in settings.py, but most people won't bother.
2. Inputs have a obvious signature -
input id="id_FOO" name="FOO"

Posted by Diederik on June 4, 2013 at 3 a.m.:

While I appreciate the fact that Django hides itself pretty much, I also would love to see Django in the following graphs:

http://wappalyzer.com/categories/web-frameworks
http://trends.builtwith.com/framework

Some advertisement wouldn't hurt either imho. Is it really that bad that a visitor can recognize Django?

Posted by Eugene MechanisM on June 4, 2013 at 9:58 a.m.:

I'm using "fake Django admin login screen to log and notify admins of attempted unauthorized access.": https://github.com/dmpayton/django-admin-honeypot ;)

Posted by Hendrik on June 13, 2013 at 11:54 a.m.:

Out of curiosity:
you mentioned "but I haven't used the Django admin on a site since working for washingtonpost.com back in 2007"

Are you referring to moving the admin area from /admin/ to some other URL or are you actually rolling out a custom admin area for all your projects?

Posted by Adrian Holovaty on June 13, 2013 at 3:29 p.m.:

Hendrik: I haven't needed to use the Django admin -- I've either made small site-specific admin tools or not had a need.

Posted by manojlds on June 14, 2013 at 12:57 p.m.:

I am working on a open source Django website.

How do I make sure my admin page remains secure ( obscured )?

Go the route of secret key, and other sensitive info, and have admin url passed as environment variable?

Posted by Neil Lyons on August 25, 2013 at 3:10 p.m.:

If I want to check if a site uses Django I look for a few things:

* Forward slash at the end of URLs
* Static files served from /static/
* The CSRF token on post forms. Usually the login.
* The login page at /accounts/login/
* Checking /admin/

Comments have been turned off for this entry.