Django web application security checklist

Ensure that your web application is secure and ready for deployment.

Photo by Georg Bommeli on Unsplash

Django as it stands

In this article, I will discuss a number of ways in which you can help shield your web application from harm.

Tip 1: DEBUG = False

If you don’t do this then Django will expose all your settings and environment variables, when an exception occurs.

settings.py

DEBUG = False

Tip 2: Deployment checklist

python manage.py check --deploy

You will then see information pertaining to your Django web application. This is very useful on giving you a quick breakdown of the major issues that require your attention before you go through with deployment.

For those of you that like to get ahead early in the game, give those security messages a quick google.

Tip 3: Cross-site Scripting (XSS)

Luckily for you, you can minimize the damage of XSS attacks by adding the following lines:

settings.py

SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True

Tip 4: SSL Redirect

settings.py

SECURE_SSL_REDIRECT = True

Tip 5: Change the default Django admin URL

Check the before and after code snippets to understand how to change your admin URL.

urls.py

BEFORE

#urls.pyfrom django.contrib import admin
from django.urls import path

urlpatterns = [
### Change admin to something else. path('admin/', admin.site.urls) # - Default admin URL]

urls.py

AFTER

#urls.pyfrom django.contrib import admin
from django.urls import path

urlpatterns = [
### Admin path changed path('secret-admin/', admin.site.urls) # - Updated admin URL]

Tip 6: HTTP Strict Transport Security (HSTS)

settings.py

SECURE_HSTS_SECONDS = 86400 # Equivalent to 1 day
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True

Tip 7: Cross site request forgery (CSRF) protection

settings.py

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

The above code prevents you from accidentally sending your session and your csrf cookie over HTTP by accident.

Tip 8: Use python-decouple

Be sure to use python-decouple to keep everything separate and safe.

Read the below link, if you want some background, otherwise let’s move on!

Now let’s set python-decouple up:

Step one:

To install python-decouple in your application, open up your terminal and type in the following command:

pip install python-decouple

Step two:

Create a .env file in your repository’s root directory.

Step three:

.env file

As a test we will store some important data, such as debug and our secret key. So, simply copy + paste your debug and secret key from settings.py as is into your .env file.

DEBUG=False
SECRET_KEY='my_secret_key'

Step four (Git users):

If you happen to be using Git be sure to .gitignore your .env file for security purposes.

Step five:

settings.py

Next you want to import the decouple library:

from decouple import config

Step six:

settings.py

Now we want to get our parameters.

decouple will always return our data as a string. To solve this problem we need to cast it to a bool if we are expecting a boolean or to int if we are expecting an integer.

Go back to your settings.py and modify your existing debug and secret key values with the following:

DEBUG = config('DEBUG', cast=bool) # - Cast it to a boolean
SECRET_KEY = config('SECRET_KEY')

DONE!

Tip 9: Content Security Policy (CSP)

For more information about this topic, please take a look at the links below:

Tip 10: Research, research, research

Research what you can online and also be sure to check out Django’s official deployment checklist for additional guidance:

Tip 11: Mozilla Observatory

Final note

I’m just a simple guy trying to find his way in this world.