Get your Django app ready for production
Internet is not safe place, there is no angels playing on the clouds. this is a dark place where a guy in a black sweatshirt thinks about how to hack your site. If we can’t make the world a safer place let’s make our own django app safer and production ready.
Here’s your checklist:
check --deploy
Django has a cool automated script that check all configuration of our application and make some suggestions. Run the command and check all configs.
manage.py check --deploy
SECRET_KEY
What’s the big deal ? There are million of millions django secret_keys in github.com. Don’t push your production secret key to github repo. Best practices is get sensitive info from environment variables.
import os
SECRET_KEY = os.environ['SECRET_KEY']DEBUG is True or not True
Never and never enable DEBUG in production.
DEBUG = FalseALLOWED_HOSTS
Do you want to protect your site against some CSRF attacks ? If your answer is YESS! check your ALLOWED_HOST settings. You should also configure your web-server that sits in front of Django application to validate the host.
CACHES
Cache servers often have weak authentication. Make sure they only accept connections from your application servers.
DATABASE
Store database connection parameters on environment variables and don’t add your git repo. For maximum security, make sure database servers only accept connections from your application servers.
MEDIA FILES
Don’t trust users! You may add file upload on django application. Don’t let users upload .php files. Web server shouldn’t execute them.
HTTPS
Use SSL certificate, get a certificate and use it! it's not a big deal.
That’s all!
