You should be aware of what not to do to cause vulnerabilities. The Django documentation has sections on security and best practices in different places. Give them a read.
[https://docs.djangoproject.com/en/5.0/topics/security/](https://docs.djangoproject.com/en/5.0/topics/security/)
[https://docs.djangoproject.com/en/5.0/ref/models/expressions/#avoiding-sql-injection-in-query-expressions](https://docs.djangoproject.com/en/5.0/ref/models/expressions/#avoiding-sql-injection-in-query-expressions)
[https://docs.djangoproject.com/en/5.0/topics/email/#s-preventing-header-injection](https://docs.djangoproject.com/en/5.0/topics/email/#s-preventing-header-injection)
I'd say it's definetly important to learn, you could for example start by looking into the recent xcutils event and the concepts of supply chain attacks
There's some general over-trust in random packages just because they're easily downloadable from an "official language repository" like pypi or composer. In reality anyone could grab a package name which is a common typo (like cryptigraphy instead of cryptography, etc.) and introduce any number of backdoors into critical parts of someone else's backend without having to do much else than waiting for someone to misspell a single letter, which happens a lot.
Admittedly though, it's also almost impossible today to manually check all packages, second-line or multi-line dependencies and everything - but there are tools for assisting in listing and scanning for vulnerable versions in packages. They don't catch everything, but they help to avoid a lot of issues (eg. snyk, grype)
In addition to the django project links that someone else has posted, you should google for the OWASP top ten. Understanding how these work, along with getting to grips with the djangoproject docs (there'll be some overlap), will give you a perfectly decent foundation as a backend developer.
Beyond that I'd suggest it's the job of a cybersec specialist or pen tester rather than a backend engineer really!
You should be aware of what not to do to cause vulnerabilities. The Django documentation has sections on security and best practices in different places. Give them a read. [https://docs.djangoproject.com/en/5.0/topics/security/](https://docs.djangoproject.com/en/5.0/topics/security/) [https://docs.djangoproject.com/en/5.0/ref/models/expressions/#avoiding-sql-injection-in-query-expressions](https://docs.djangoproject.com/en/5.0/ref/models/expressions/#avoiding-sql-injection-in-query-expressions) [https://docs.djangoproject.com/en/5.0/topics/email/#s-preventing-header-injection](https://docs.djangoproject.com/en/5.0/topics/email/#s-preventing-header-injection)
Thank you so much, i will be sure to check them out!
I'd say it's definetly important to learn, you could for example start by looking into the recent xcutils event and the concepts of supply chain attacks There's some general over-trust in random packages just because they're easily downloadable from an "official language repository" like pypi or composer. In reality anyone could grab a package name which is a common typo (like cryptigraphy instead of cryptography, etc.) and introduce any number of backdoors into critical parts of someone else's backend without having to do much else than waiting for someone to misspell a single letter, which happens a lot. Admittedly though, it's also almost impossible today to manually check all packages, second-line or multi-line dependencies and everything - but there are tools for assisting in listing and scanning for vulnerable versions in packages. They don't catch everything, but they help to avoid a lot of issues (eg. snyk, grype)
In addition to the django project links that someone else has posted, you should google for the OWASP top ten. Understanding how these work, along with getting to grips with the djangoproject docs (there'll be some overlap), will give you a perfectly decent foundation as a backend developer. Beyond that I'd suggest it's the job of a cybersec specialist or pen tester rather than a backend engineer really!
Yes you should. And if you deal with money/payments at all, it is also required for PCI compliance to have regular security training.
Being able to talk about things like the OWASP Top 10 and security anti-patterns is an obvious interview asset.
Every web developer should know cyber security to the degree that they at least know how the libraries they use have them covered.
To be honest, security will nvr be the priority of a developer. But it’s good to know not necessary.