Django web application security checklist

Ensure that your web application is secure and ready for deployment.

Photo by Georg Bommeli on Unsplash

Django as it stands

Django is a batteries-included framework that is inherently secure, but there are still a few things that we need to ‘tweak’ on our end in order for us to fully utilize Django's defense capabilities.

Tip 1: DEBUG = False

Please, please, please never deploy your application with DEBUG = True on. This is a terrible idea… Make sure that DEBUG = False

DEBUG = False

Tip 2: Deployment checklist

The next thing that you want to do is to run the below command in your terminal:

python manage.py check --deploy

Tip 3: Cross-site Scripting (XSS)

Cross-site scripting attacks involve an attacker injecting a malicious script into your application. If an XSS attack is carried out, attackers may be able to steal your users sensitive information.

SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True

Tip 4: SSL Redirect

The below line will ensure that your application redirects to HTTPS.

SECURE_SSL_REDIRECT = True

Tip 5: Change the default Django admin URL

Someone who is familiar with Django can easily access your admin page, by simply typing in ”www.yourwebsite.com/admin” in their browser. Therefore, it is essential that you change your ‘admin/’ URL to something unique and memorable.

#urls.pyfrom django.contrib import admin
from django.urls import path

urlpatterns = [
### Change admin to something else. path('admin/', admin.site.urls) # - Default admin URL]
#urls.pyfrom django.contrib import admin
from django.urls import path

urlpatterns = [
### Admin path changed path('secret-admin/', admin.site.urls) # - Updated admin URL]

Tip 6: HTTP Strict Transport Security (HSTS)

This helps protect your web application from man-in-the-middle attacks and forces connection over HTTPS.

SECURE_HSTS_SECONDS = 86400 # Equivalent to 1 day
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True

Tip 7: Cross site request forgery (CSRF) protection

Ensure that HTTPS is set-up, then be sure to add these two lines:

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

Tip 8: Use python-decouple

Your settings.py file will be full of sensitive information.

pip install python-decouple
DEBUG=False
SECRET_KEY='my_secret_key'
from decouple import config
DEBUG = config('DEBUG', cast=bool) # - Cast it to a boolean
SECRET_KEY = config('SECRET_KEY')

Tip 9: Content Security Policy (CSP)

A content security policy (CSP) is useful if your web application contains a lot of styles and inline scripts. It can useful for preventing clickjacking, cross-site scripting and other types of code injection attacks.

Tip 10: Research, research, research

No matter how much effort you put in to protect your website, it will never be 100% secure, but that doesn’t mean you can’t do some research of your own and try to make it as secure as possible.

Tip 11: Mozilla Observatory

Once you have deployed your application, be sure to check out Mozilla observatory. It will scan your website for potential security flaws. Once the scan is complete you will get a breakdown of what is good and what needs to be improved, as well as a cool overall score, just like when you received that ‘amazing’ math test back in high school.

Final note

Thank you for reading, and I hope this article helps you improve the security of your Django application. Good luck!

I’m just a simple guy trying to find his way in this world.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store