Internet is not safe place, there is no angels playing on the clouds. this is a dark place where a guy in a black sweatshirt thinks about how to hack your site. If we can’t make the world a safer place let’s make our own django app safer and production ready.
Here’s your checklist:
Django has a cool automated script that check all configuration of our application and make some suggestions. Run the command and check all configs.
manage.py check --deploy
What’s the big deal ? There are million of millions django secret_keys in github.com. Don’t push your production secret key to github repo. Best practices is get sensitive info from environment variables.
SECRET_KEY = os.environ['SECRET_KEY']
DEBUG is True or not True
Never and never enable DEBUG in production.
DEBUG = False
Do you want to protect your site against some CSRF attacks ? If your answer is YESS! check your ALLOWED_HOST settings. You should also configure your web-server that sits in front of Django application to validate the host.
Cache servers often have weak authentication. Make sure they only accept connections from your application servers.
Store database connection parameters on environment variables and don’t add your git repo. For maximum security, make sure database servers only accept connections from your application servers.
Don’t trust users! You may add file upload on django application. Don’t let users upload .php files. Web server shouldn’t execute them.
Use SSL certificate, get a certificate and use it! it's not a big deal.