Today's upgrade: improving websites, better security


This morning’s system update went smoothly, and we’ve made a couple of great changes :-)

Improved website routing

This one should be pretty much transparent to you, but we’ve revamped the way we route requests for the websites that we host; this should speed things up for some people.

Noisy neighbours always cause problems, in the real world and on the Internet. When someone writes a website that hogs system resources on PythonAnywhere, sometimes it can impact other people who happen to be on the same server. Naturally, we monitor the system, and when we find a particularly badly-behaved website we notify its owner by email and ask them to fix it – or in extreme cases, if it’s causing serious problems, we shut it down. But that’s far from ideal.

Today’s update makes that all a lot better. We’ve given ourselves, the system administrators, fine-grained control over where websites run. So now, if we see a website that’s causing slowdowns for other users, as well as notifying the owner so that they can fix it, we can move it right away onto a server where it won’t impact other people. We’re calling it “putting them in the sin bin”…

Security is important

…as people have reminded us frequently in suspiciously-similar Tweets. And they’re right! So we’ve implemented two-factor authentication, using Google Authenticator (or any other TOTP app). It’s currently going through a short internal-only testing process (in other words, we’ve switched it on for our own accounts to see if it breaks anything) and if all is well, we’ll provide it as an option for everyone next week.

On the subject of security, we’ve also fixed a couple of bugs: Nikhil Mittal reported a CSRF issue on PythonAnywhere that would have allowed an attacker who knew both your username and the internal database ID of one of your scheduled tasks to delete that task, if they tricked you into visiting a web page that they controlled while you were logged in to PythonAnywhere. It wouldn’t have given the attacker access to any of your data, but it could have been really irritating, and we’re glad it was reported so that we could fix it. Bug: fixed. Bug bounty: paid. Nikhil also reported some issues around our email confirmation system, which we’ve also fixed.

…and the rest

As always, we’ve put in a number of user interface tweaks, including fixing the print preview on IPython notebooks.

That’s it!

Thanks for reading, and for using PythonAnywhere :-)

comments powered by Disqus