Building a Secure Web Application with Django
We were contacted by a startup in the healthcare industry to create a web application which would present data produced by their new diagnostics software for detecting coronary artery disease.
In order to improve patient experience and make the product convenient for medical professionals, our client needed a secure web interface to present test results. This implied building UIs for several user cohorts; including patients, tech support, as well as a comprehensive UI for doctors. More crucially, our experience in Big Data & analytics would be vital in designing an API to interact with the database and the front end.
Django was the right choice for this application for several reasons, mainly due to its security features, the fact that much of the backend code for the application was already written in Python, and the client needed the application to be ready to go on a tight deadline. Django is, after all, the “web framework for perfectionists with deadlines.”
Building a Solution
Our solution took full advantage of Django’s many built-in features to create a robust, scalable application with an attractive UI. We relied on Django’s ORM (Object Relational Mapper) and the Django Rest Framework, building a RESTful API to support the end-user product. To ensure security and patient confidentiality we used Django’s native security features along with JSON Web Tokens. Finally, Django’s rich features allowed us to quickly develop a high-performance browser based UI.
Why a RESTful API in Django?
We chose to implement a RESTful application architecture using the Django REST Framework as it is highly scalable and works conveniently with a variety of data formats. Being web-based it relies on HTTP to transfer data; thus any tool that can use HTTP can work with REST resources. With HTTP, locating data sources with REST is quite simple using URIs (Uniform Resource Identifier), allowing a greater decoupling between backend and frontend elements.
Another important reason we decided to use the Django REST Framework was its discoverable API browser which saves a lot of time, providing pagination, related resources, and much, much more.
Django offers great features for interacting with SQL databases, most notably its ORM (Object Relational Mapper), which allows developers to access and manipulate data directly in their Python code without writing cumbersome SQL statements. With its ORM, Django simply brings more to the table.
However, it’s important to note that the ORM is strongly oriented towards SQL databases. That’s not to say you can’t use NoSQL databases with Django – tools like the Django MongoDB Engine do exist – but you will have to do a bit more work and use some extra software.
Besides features for developing a REST API, the Django REST Framework also provides serializers. Serializers allow complex data such as query sets and model instances to be converted to native Python datatypes that can then be easily rendered into JSON, XML or other content types. Serializers also provide deserialization, converting parsed data back into complex types.
Speaking of data and database queries, it’s important to mention migrations in Django. Migrations are Django’s way of propagating changes to models (new tabs, columns, etc.) to the database scheme. Usually Django handles this automatically, making these changes easy and efficient.
Protecting Patient Confidentiality
Security was a high priority for many reasons given that the product was intended for the healthcare industry. We took advantage of several characteristics and features of Django, along with some extra tools to make sure the application would more than adequately protect patient confidentiality. Django’s ORM layer makes for a great defense against SQL injection, while Django’s built-in CSRF protection is top notch. In addition, we used JSON Web Tokens to provide extra security between the UI and backend, effectively preventing XSS attacks.
To protect user accounts, we took advantage of Django’s multi-factor authentication. The Django REST Framework provides base, token and session based authentication right out of the box. However, there are plenty of other third-party Django packages which are well proven and have rich documentation.
Testing with Django
For any large-scale web application, rigorous testing is of vital importance to ensure reliability and proper functionality even in edge cases. You can never really be sure how your application might get used in production!
Django offers several benefits in this arena with a convenient mechanism to start a test server, copy data from the database, and load fixtures in the DB. Django also includes its own test client which lets you imitate a web browser programmatically. Basically, you can quickly and easily launch a full testing environment with separated test execution and start developing thorough automated testing scenarios. The Django REST Framework also proved to be of great help in testing, providing ready-to-go test classes for a wide variety of cases.
The frontend consists of 3 different UIs – for users, analytics, and support. Django provides convenient separation of routes which allowed us to get separated routing through web pages for different user types (users, analytics, and support – effectively three apps in one) and reuse code from each application on the frontend server.
By the end of the project, we had used a ton of Django’s native features. But as the functional business specifications evolved, we found that a few of the built-in features didn’t entirely meet our needs. So, we rolled up our sleeves, did some research, and discovered we could easily handle the problem with a slight extension of a few Django tools like template loaders, middleware, and signals.
All in all, Django proved to be a great choice; thanks to its built-in features, we were able to deliver a high quality product on a short deadline. We’re looking forward to our next chance to work with Django, and with our experience in Big Data & analytics we’re confident we can handle the most demanding data driven web-applications.