python - Django Rest Framework without authentication + GET only -

i developing back-end webpage using django rest framework. webpage public, , fetch information service. thus, have deploy both service , webpage.

since webpage public access (without type of login) can avoid having set ssl stuff. however, default, drf comes browsable api , login field. know can remove browsable api, enough?

for instance, configurations have be:

(removing browsableapirenderer)

   'default_renderer_classes': ( 'rest_framework.renderers.jsonrenderer',                                  'rest_framework.renderers.jsonprenderer',                                  'rest_framework_csv.renderers.csvrenderer', ) 

and:

cors_origin_allow_all = true  cors_allow_methods = (         'get',         'head',         'options', ) 

i using https://github.com/ottoyiu/django-cors-headers cors stuff.

would enough avoid unwanted login atempts? there specific way disable option?

what 'default_permission_classes' shoul use?

best regards , help!

if have login, don't have ssl, users vulnerable packet sniffing of credentials on many wifi , ethernet networks. such vulnerability can trivially exploited firesheep firefox plugin. due users' habit of reusing passwords, end compromising security more critical website. unfortunate. isn't entirely problem if users reuse password, ssl should base layer of protection users.

while possible use django templates django rest framework (drf) backend, not limited using django front-end. consider angularjs drf. anyways, there significant learning curve angularjs, needn't limit having django supply front-end.

as far removing drf browsableapirenderer, protection "security through obscurity", need lock down apis through proper permission model attacker can @ traffic generated front-end back-end , manipulate requests back-end. so, discoverability of interface adversary not reduced through getting rid of browsableapirenderer. obscure back-end resources front-end isn't using , make life front-end dev little more painful.

for default_permission_classes, take gander @ drf permissions documentation. if have 2 user groups - logged in/authenticate , not logged in, isauthenticatedorreadonly place start. if start have per-model permission bifurcation different user groups, djangomodelpermissions place dig into.