The Most Secure API
Is No API.
Stop leaking business logic to the browser. Stop managing permissions for 50 different REST endpoints. Keep your code on your server, where it belongs.
The "Glass House" Problem
Modern Single Page Applications (SPAs) force you to ship your proprietary business logic to the client's browser in a JavaScript bundle.
Security Risks in SPAs
- ❌ IP Theft: Competitors can reverse-engineer your pricing algorithms from `bundle.js`.
- ❌ Data Leaks: APIs often return full user objects (`password_hash`, `admin_notes`) even if the UI doesn't show them.
- ❌ Attack Surface: Every REST endpoint is a potential entry point for hackers.
// ⚠️ EXPOSED LOGIC IN CLIENT BUNDLE
function calculateDiscount(user) {
if (user.enterpriseTier) {
return 0.20; // Secret discount exposed!
}
return 0.05;
}
The "Black Box" Guarantee
With djust, your Python logic stays safely on the server. The client receives HTML pixels, not logic. Your intellectual property remains a black box.
IP Protection
Your proprietary algorithms never leave the data center. The browser only sees the result, never the formula. Perfect for FinTech and SaaS.
Zero Data Leaks
Our Rust JIT Engine scans your templates. If a field (like `email`) isn't rendered in the HTML, it is never fetched from the DB. It is physically impossible to leak data you didn't display.
Unified Permissions
Stop duplicating validation logic in JavaScript and Python. Define permissions once in Django. If the user can't see it, the HTML is never generated.
Architecture Comparison
| Security Aspect | React / Next.js | djust Unibody |
|---|---|---|
| Code Visibility | Public (Bundled JS) | Private (Server Only) |
| Attack Surface | High (Dozens of API Endpoints) | Minimal (1 WebSocket) |
| Data Fetching | Manual (Easy to over-fetch) | Automated (JIT Restricted) |
| Validation | Duplicated (Client + Server) | Unified (Server Only) |
WebSocket Hardening
Server-side rendering eliminates most attack vectors, but WebSocket connections need their own defenses. djust ships with four layers of protection enabled by default.
Event Name Guard
Regex filter blocks dunders, private methods, and malformed names before getattr() is ever called.
@event_handler Allowlist
Only explicitly decorated methods are callable via WebSocket. Strict mode is the default — no opt-in required.
Server-Side Rate Limiting
Token bucket algorithm per connection, with per-handler @rate_limit for expensive operations. Automatic disconnect on violation.
Per-IP Connection Limits
Process-level tracker enforces max concurrent WebSocket connections per IP. Supports X-Forwarded-For for proxied deployments.
Security Deep Dives
Read the technical details behind djust's security architecture.
Security-First Development: How djust Protects Your Application by Default
Built-in security utilities, automated vulnerability scanning, and pre-commit hooks.
WebSocket Event Security: Three Layers of Protection in djust
Deep dive into the event name guard, decorator allowlist, and rate limiting architecture.
djust 0.2.1: WebSocket Security Hardening with Three Layers of Defense
Release notes covering the full security hardening implementation and upgrade guide.