Security strategies for multi-tenant applications
2020-09-19, 09:55–10:35, Virtual

When writing multi-tenant applications, a very typical and dangerous bug is to forget about a WHERE statement and show data to the wrong users. This often goes unnoticed, since most people are only testing with one user account. This talk discusses strategies to prevent this class of error entirely.


Most modern web applications are multi-tenant applications in some way – they allow specific users, groups, or organizations access some data or work together in some way, but separated from other groups that are served by the same application.

Therefore, the software somehow needs to know what data to show and separate data of multiple tenants from each other in a safe way. The talk will discuss options on how to do this on a database level and in which situations this is possible.

However, often it’s not possible or feasible to solve this on a database level, so one falls back to handling multi-tenancy manually, by adding a WHERE tenant = current_tenant clause to every database access. This requires great caution and can quickly lead to dangerous bugs and data leaks: If the clause is forgotten, it will users can see data from other tenants. However, during development and testing, it will probably look fine due to lack of enough tenants to make the problem easily visible.

This talk will present strategies to prevent this kind of problem, including the Django library django-scopes which allows to make sure no such query ever slips through. While the library is Django-specific, the ideas behind it are not.