Skip to main content

AppDefender for Python

Prerequisites

  1. a license key. Get one if you don't have one already.
  2. install the AppDefender Python package and include in your project (requirements.txt), e.g.
    python3 -m pip install appdefender
  3. Note: see the cloud provider specific documentations for more specific details

Configure AppDefender

  1. import AppDefender (inside your entire application for the best protection), e.g.
    import appdefender

  1. add the following environment variables to your serverless function/application

    • ES_LICENSE_KEY=your license key
    • ES_POLICY_GROUP_NAME=name of your policy group, use observeAll.ability if you have a temporary license key

  2. Add the environment variable ES_APP_NAME=<your unique application name> if running inside a container

Configure Policy Groups

  1. if you have a registered account, then you can create and edit your own policy groups
  2. if you have a temporary license key, then please use either the observeAll.ability public policy group or register for a free account and create your own custom policy group
  3. each policy group contains instructions for AppDefender during execution:
    1. Grant, Observe, or Deny access to any combination of the following:
      1. outbound network traffic from the serverless function/application process
      2. read/write on the /tmp/ or application directories
      3. create/spawn child processes
    2. whether to terminate serverless serverless function/application execution for any deny event
    3. whether to allow all cloud provider traffic if outbound data is set to deny. Note: you must upgrade your free plan in order to enable this feature
      1. this is cloud provider specific, so if you are running on GCF and this option is set, all Google Cloud traffic would be allowed
    4. a custom list of allowed domains if outbound data is set to deny
      1. domain names are matched as contains by default, e.g. stripe (contains) would match stripe.com as well as m.stripe.com
      2. wildcards can also be used, e.g. *.amazonaws.com (end with) or labmda.* (starts with)
      3. multiple domains are comma separated
      4. AppDefender performs DNS resolution to act on all IP addresses matching the specified domain names
    5. A optional description field for you to document the purpose or other details of the policy group Policy Group Edit
  4. create as many policy groups as you have unique needs. There is no limit on how many policy groups you may have
  5. once a policy group is updated, the changes are automatically picked up by any AppDefender protected application during its next start/restart

Best Practices

  1. know your application's access patterns by running AppDefender in observe mode initially. Then use a custom policy group with the minimum permissions
  2. if using SSR frameworks, make sure the environment variables are available for the backend runtime