A Security-First Middleware for Django to ensure NIS2 compliance with forensic logging, active defense, and SIEM integration.

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for FabDiP89 from gravatar.com FabDiP89

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Fabrizio Di Priamo
  • Tags django , security , nis2 , compliance , logging , siem , middleware , gdpr , audit , forensic , cybersecurity , enterprise , rate-limiting , session-guard
  • Requires: Python >=3.8
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

Django NIS2 Shield

PyPI version Python Django Safety: Passing PiWheels License: MIT

The "Security-First" Middleware for NIS2 Compliance.

Companies subject to NIS2 Directive need demonstrable compliance. This middleware provides:

  1. Forensic logging with HMAC-SHA256 integrity and PII encryption (Art. 21.2.h)
  2. Rate limiting to prevent DoS/Brute Force attacks (Art. 21.2.e)
  3. Session Guard to detect hijacking via IP/User-Agent validation (Art. 21.2.a)
  4. MFA Gatekeeper for sensitive routes (Art. 21.2.j)
  5. Multi-SIEM Presets: Ready-to-use configs for Splunk, Datadog, QRadar.

Part of the NIS2 Shield Ecosystem: Use with @nis2shield/react-guard, @nis2shield/angular-guard, or @nis2shield/vue-guard for client-side protection and nis2shield/infrastructure for a full-stack implementation.

┌─────────────────────────────────────────────────────────────┐
│                        Frontend                              │
│  @nis2shield/{react,angular,vue}-guard                      │
│  ├── SessionWatchdog (idle detection)                       │
│  ├── AuditBoundary (crash reports)                         │
│  └── → POST /api/nis2/telemetry/                           │
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────┐
│                  Backend (NIS2 Adapter)                      │
│  Supported: Django, Express, Spring Boot, .NET            │
│  ├── ForensicLogger (HMAC signed logs)                     │
│  ├── RateLimiter, SessionGuard, TorBlocker                 │
│  └── → SIEM (Elasticsearch, Splunk, QRadar, etc.)          │
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────┐
│                    Infrastructure                            │
│  nis2shield/infrastructure                                  │
│  ├── Centralized Logging (ELK/Splunk)                       │
│  └── Audited Deployment (Terraform/Helm)                    │
└─────────────────────────────────────────────────────────────┘

✨ Key Features

🔒 Forensic Logger

  • Structured logs (JSON or CEF) signed with HMAC-SHA256
  • Automatic PII field encryption (GDPR compliant)
  • Configurable IP anonymization

🛡️ Active Defense

  • Rate Limiting: Protection against application-level DoS attacks (sliding window algorithm)
  • Session Guard: Session hijacking prevention with mobile network tolerance
  • Tor Blocker: Automatic blocking of Tor exit nodes
  • MFA Gatekeeper: 2FA redirect for sensitive paths

📊 Compliance & Reporting

  • check_nis2 command for configuration auditing
  • Incident report generation for CSIRT (24h deadline)
  • SIEM presets for Elasticsearch, Splunk, QRadar, Graylog, Sumo Logic, and Datadog

🔔 Real-time Alerting (v0.3.0+)

  • Webhook notifications for security events
  • Supports Slack, Microsoft Teams, Discord, and generic HTTP

📦 Installation

pip install django-nis2-shield

For development:

pip install django-nis2-shield[dev]

⚙️ Configuration

settings.py

INSTALLED_APPS = [
    ...,
    'django_nis2_shield',
]

MIDDLEWARE = [
    ...,
    # Add after SessionMiddleware and before CommonMiddleware
    'django_nis2_shield.middleware.Nis2GuardMiddleware', 
    ...,
]

# NIS2 Shield Configuration
NIS2_SHIELD = {
    # Security Keys
    'INTEGRITY_KEY': 'change-me-to-a-secure-secret',
    'ENCRYPTION_KEY': b'your-32-byte-fernet-key-here=',  # Fernet.generate_key()
    
    # Privacy (GDPR)
    'ANONYMIZE_IPS': True,
    'ENCRYPT_PII': True,
    'PII_FIELDS': ['user_id', 'email', 'ip', 'user_agent'],
    
    # Active Defense
    'ENABLE_RATE_LIMIT': True,
    'RATE_LIMIT_THRESHOLD': 100,  # requests per window
    'RATE_LIMIT_WINDOW': 60,  # seconds
    'RATE_LIMIT_ALGORITHM': 'sliding_window',  # or 'fixed_window'
    'ENABLE_SESSION_GUARD': True,
    'SESSION_IP_TOLERANCE': 'subnet',  # 'exact', 'subnet', 'none'
    'BLOCK_TOR_EXIT_NODES': True,
    
    # MFA
    'ENFORCE_MFA_ROUTES': ['/admin/', '/finance/'],
    'MFA_SESSION_FLAG': 'is_verified_mfa',
    'MFA_REDIRECT_URL': '/accounts/login/mfa/',
    
    # Webhooks (v0.3.0+)
    'ENABLE_WEBHOOKS': True,
    'WEBHOOKS': [
        {'url': 'https://hooks.slack.com/...', 'format': 'slack'},
    ]
}

Log Format: CEF (Enterprise SIEM)

For CEF output instead of JSON:

from django_nis2_shield.cef_formatter import get_cef_logging_config

LOGGING = get_cef_logging_config('/var/log/django_nis2.cef')

🚀 Usage

Configuration Audit

python manage.py check_nis2

Threat Intelligence Update

python manage.py update_threat_list

Incident Report Generation

python manage.py generate_incident_report --hours=24 --output=incident.json

📈 Dashboard Monitoring

The project includes a Docker stack for log visualization:

cd dashboard
docker compose up -d

# Access:
# - Kibana: http://localhost:5601
# - Grafana: http://localhost:3000 (admin/admin)

See dashboard/README.md for details.

🧪 Testing

# With pytest
pip install pytest pytest-django
PYTHONPATH=. pytest tests/ -v

📖 Recipes

Banking App with MFA & Rate Limiting

# settings.py
NIS2_SHIELD = {
    'INTEGRITY_KEY': os.environ['NIS2_HMAC_KEY'],
    'ENCRYPTION_KEY': os.environ['NIS2_AES_KEY'],
    
    # Rate Limit: 50 requests per minute
    'ENABLE_RATE_LIMIT': True,
    'RATE_LIMIT_THRESHOLD': 50,
    'RATE_LIMIT_WINDOW': 60,
    
    # MFA for admin and finance
    'ENFORCE_MFA_ROUTES': ['/admin/', '/finance/', '/transfers/'],
    'MFA_REDIRECT_URL': '/accounts/mfa/verify/',
}

E-commerce with Splunk SIEM

# settings.py
import os

NIS2_SHIELD = {
    'INTEGRITY_KEY': os.environ['NIS2_HMAC_KEY'],
    'ANONYMIZE_IPS': True,
    'ENCRYPT_PII': True,
    
    # Webhooks for real-time alerts
    'ENABLE_WEBHOOKS': True,
    'WEBHOOKS': [
        {'url': 'https://hooks.slack.com/...', 'format': 'slack'},
    ]
}

# Splunk SIEM Output
from django_nis2_shield.siem import get_splunk_logging_config
LOGGING = get_splunk_logging_config(
    splunk_url='https://splunk.example.com:8088',
    token=os.environ['SPLUNK_HEC_TOKEN']
)

Healthcare API with Session Guard

# Block session hijacking attempts with IP tolerance for mobile networks
NIS2_SHIELD = {
    'ENABLE_SESSION_GUARD': True,
    'SESSION_IP_TOLERANCE': 'subnet',  # 'exact', 'subnet', or 'none'
    'BLOCK_TOR_EXIT_NODES': True,
}

📄 License

MIT License - see LICENSE for details.

🤝 Contributing

Contributions are welcome! Open an issue or PR on GitHub.

Documentation · PyPI · Changelog

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for FabDiP89 from gravatar.com FabDiP89

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Fabrizio Di Priamo
  • Tags django , security , nis2 , compliance , logging , siem , middleware , gdpr , audit , forensic , cybersecurity , enterprise , rate-limiting , session-guard
  • Requires: Python >=3.8
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

1.1.1

0.3.7

This version

0.3.6

0.3.5

0.3.2

0.3.1

0.3.0

0.2.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_nis2_shield-0.3.6.tar.gz (28.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

django_nis2_shield-0.3.6-py3-none-any.whl (23.7 kB view details)

Uploaded Python 3

File details

Details for the file django_nis2_shield-0.3.6.tar.gz.

File metadata

  • Download URL: django_nis2_shield-0.3.6.tar.gz
  • Upload date:
  • Size: 28.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for django_nis2_shield-0.3.6.tar.gz
Algorithm Hash digest
SHA256 2376a1f8e55a8636680f869266ff5f916d31285a3a35719f3f1e08f0383a53fe
MD5 41c3b0d384c565cb1e4899b53706729b
BLAKE2b-256 3e033756fef0dc983c48f31a8be7ac30f2b9929bef89de8b1a7154ee5174fc70

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_nis2_shield-0.3.6.tar.gz:

Publisher: publish.yml on nis2shield/django-nis2-shield

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file django_nis2_shield-0.3.6-py3-none-any.whl.

File metadata

File hashes

Hashes for django_nis2_shield-0.3.6-py3-none-any.whl
Algorithm Hash digest
SHA256 6a041852e9b0824a94c61ce905ec5406046050abaf6f6df67b3525fe88f31717
MD5 87ae45bd906fa87a410dfd2d77072142
BLAKE2b-256 2517659c36f4d0ea61e194b7f936b7cdbcfdbb7224aba73d84361edee4df80d5

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_nis2_shield-0.3.6-py3-none-any.whl:

Publisher: publish.yml on nis2shield/django-nis2-shield

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page