Configuring Django app settings for production environment

If you are running a Django project in a production environment then you have to take care of the way you manage your settings.py file. Most developers have one settings file for development and one for production. In this tutorial I will show you how to make your settings file meet production environment requirements.

Is setting DEBUG to False enough?

It may seem that switching the DEBUG parameter is enough for a project deployment. However, this is not quite true. What this setting really does is controlling verbose tracebacks and logging SQL queries.

One of the main features of debug mode is the display of detailed error pages.

From docs.djangoproject.com

Prerequisites

I assume you have already done the following:

• Wrote a working Python Django application.
• Installed required software on the server.
• Set up the database and connected it to the app.
• Created config.py file for keeping DB password and security tokens separate from settings file.

When the requirements are met, move on to the next section.

Editing the settings

To secure your Django application for production usage you should edit some configuration files.

Secure the secret key

Locate your main app directory which contains config.py and settings.py files. Generate the secret key for your project. I used pass for this purpose. Append SECRET_KEY variable to config.py file.

Next, open settings.py. Import config.py if you have not already done so: from . import config. Change the SECRET_KEY in settings.py from 'django-insecure..' to config.SECRET_KEY.

Enable web vulnerability mitigation options

Add the following to the settings file:

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_SSL_REDIRECT = True

SECURE_HSTS_SECONDS = 2592000  # one month
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True

The HTTP-X-Forwarded-Proto header is a header sent by Nginx to Gunicorn to let it know about the existence of the security layer. On the first line we tell Django to treat “https” value of that header as secure. The SSL redirect option enables redirect to HTTPS but this work should be done by Nginx.

The HSTS section enables HTTP Strict Transport Security — a security technique that makes a browser remember websites which support HTTPS. You can specify the duration of this by editing SECURE_HSTS_SECONDS parameter. It is set to 2,592,000 seconds (one month) here.

Turn off debug mode

Finally, set DEBUG to False. Overwrite the DEBUG = True line in your settings file:

DEBUG = False

Check if everything is OK

After you did the steps above, run the check command in the project virtual environment:

python manage.py check --deploy

The output will tell you if something should be edited in order to meet security requirements.

Summary

When you know how to make your Django app production-ready, this process is easy and straightforward. Let’s recap the steps:

1. Generate secure secret key.
2. Enable CSRF protection, session cookies as well as SSL/TLS.
3. Set DEBUG to False.

You might also want to read Django deployment checklist.