Configuring Django app settings for production environment

If you are running a Django project in a production environment then you have to take care of the way you manage your file. Most developers have one settings file for development and one for production. In this tutorial I will show you how to make your settings file meet production environment requirements.

Is setting DEBUG to False enough?

It may seem that switching the DEBUG parameter is enough for a project deployment. However, this is not quite true. What this setting really does is controlling verbose tracebacks and logging SQL queries.

One of the main features of debug mode is the display of detailed error pages.



I assume you have already done the following:

When the requirements are met, move on to the next section.

Editing the settings

To secure your Django application for production usage you should edit some configuration files.

Secure the secret key

Locate your main app directory which contains and files. Generate the secret key for your project. I used pass for this purpose. Append SECRET_KEY variable to file.

Next, open Import if you have not already done so: from . import config. Change the SECRET_KEY in from 'django-insecure..' to config.SECRET_KEY.

Enable web vulnerability mitigation options

Add the following to the settings file:


SECURE_HSTS_SECONDS = 2592000  # one month


The HTTP-X-Forwarded-Proto header is a header sent by Nginx to Gunicorn to let it know about the existence of the security layer. On the first line we tell Django to treat “https” value of that header as secure. The SSL redirect option enables redirect to HTTPS but this work should be done by Nginx.

The HSTS section enables HTTP Strict Transport Security — a security technique that makes a browser remember websites which support HTTPS. You can specify the duration of this by editing SECURE_HSTS_SECONDS parameter. It is set to 2,592,000 seconds (one month) here.

Turn off debug mode

Finally, set DEBUG to False. Overwrite the DEBUG = True line in your settings file:

DEBUG = False

Check if everything is OK

After you did the steps above, run the check command in the project virtual environment:

python check --deploy

The output will tell you if something should be edited in order to meet security requirements.


When you know how to make your Django app production-ready, this process is easy and straightforward. Let’s recap the steps:

  1. Generate secure secret key.
  2. Enable CSRF protection, session cookies as well as SSL/TLS.
  3. Set DEBUG to False.

You might also want to read Django deployment checklist.

Leave a Comment