If you are running a Django project in a production environment then you have to take care of the way you manage your
settings.py file. Most developers have one settings file for development and one for production. In this tutorial I will show you how to make your settings file meet production environment requirements.
Is setting DEBUG to False enough?
It may seem that switching the DEBUG parameter is enough for a project deployment. However, this is not quite true. What this setting really does is controlling verbose tracebacks and logging SQL queries.
One of the main features of debug mode is the display of detailed error pages.From docs.djangoproject.com
I assume you have already done the following:
- Wrote a working Python Django application.
- Installed required software on the server.
- Set up the database and connected it to the app.
config.pyfile for keeping DB password and security tokens separate from settings file.
When the requirements are met, move on to the next section.
Editing the settings
To secure your Django application for production usage you should edit some configuration files.
Secure the secret key
Locate your main app directory which contains
settings.py files. Generate the secret key for your project. I used
pass for this purpose. Append
SECRET_KEY variable to
config.py if you have not already done so:
from . import config
. Change the SECRET_KEY in
Enable web vulnerability mitigation options
Add the following to the settings file:
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') SECURE_SSL_REDIRECT = True SECURE_HSTS_SECONDS = 2592000 # one month SECURE_HSTS_INCLUDE_SUBDOMAINS = True SECURE_HSTS_PRELOAD = True CSRF_COOKIE_SECURE = True SESSION_COOKIE_SECURE = True
HTTP-X-Forwarded-Proto header is a header sent by Nginx to Gunicorn to let it know about the existence of the security layer. On the first line we tell Django to treat “https” value of that header as secure. The SSL redirect option enables redirect to HTTPS but this work should be done by Nginx.
The HSTS section enables HTTP Strict Transport Security — a security technique that makes a browser remember websites which support HTTPS. You can specify the duration of this by editing
SECURE_HSTS_SECONDS parameter. It is set to 2,592,000 seconds (one month) here.
Turn off debug mode
Finally, set DEBUG to
False. Overwrite the
DEBUG = True line in your settings file:
DEBUG = False
Check if everything is OK
After you did the steps above, run the check command in the project virtual environment:
python manage.py check --deploy
The output will tell you if something should be edited in order to meet security requirements.
When you know how to make your Django app production-ready, this process is easy and straightforward. Let’s recap the steps:
- Generate secure secret key.
- Enable CSRF protection, session cookies as well as SSL/TLS.
- Set DEBUG to False.
You might also want to read Django deployment checklist.