← Back to Chapters

Production-Ready Security Settings in Django

? Production-Ready Security Settings in Django

? Quick Overview

When deploying Django in production, it’s essential to configure security settings to protect both the application and its users. Django provides many built-in security features, but they must be explicitly enabled and tuned for real-world environments.

? Key Concepts

  • Disabling debug information in production
  • Restricting allowed hosts
  • Forcing HTTPS and secure cookies
  • Using browser-level security headers
  • Mitigating XSS, CSRF, and clickjacking attacks

? Syntax & Theory

Django security is primarily configured in the settings.py file. These settings control how requests, responses, cookies, and headers behave in production environments.

? Code Examples

1️⃣ Disable Debug Mode

? View Code Example 
# Disable debug mode to avoid leaking sensitive information
DEBUG = False

2️⃣ Configure Allowed Hosts

? View Code Example 
# Restrict domains that can serve this Django application
ALLOWED_HOSTS = ['yourdomain.com', 'sub.yourdomain.com']

3️⃣ Enable Secure Cookies & HTTPS

? View Code Example 
# Force cookies and requests to use HTTPS
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_SSL_REDIRECT = True

4️⃣ Enable HSTS

? View Code Example 
# Enforce HTTPS for one year using HSTS
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True

5️⃣ Prevent MIME Type Sniffing

? View Code Example 
# Prevent browsers from guessing content types
SECURE_CONTENT_TYPE_NOSNIFF = True

6️⃣ Enable Browser XSS Protection

? View Code Example 
# Enable built-in browser XSS filtering
SECURE_BROWSER_XSS_FILTER = True

7️⃣ Prevent Clickjacking

? View Code Example 
# Disallow embedding this site in iframes
X_FRAME_OPTIONS = 'DENY'

8️⃣ Content Security Policy (CSP)

? View Code Example 
# Configure Content Security Policy using django-csp
INSTALLED_APPS = ['csp']
CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'", 'https://trusted-cdn.com')

? Live Output / Explanation

  • Secure cookies ensure session data is never sent over HTTP.
  • HSTS forces browsers to use HTTPS after the first visit.
  • X-Frame-Options blocks clickjacking attacks.
  • CSP restricts where scripts and assets can load from.

? Interactive Concept: Security Auditor

Toggle the settings below to simulate how they affect your Django application's security posture.

?️ SECURITY REPORT VULNERABLE
 

?️ Use Cases

  • Production Django deployments
  • Applications handling user authentication
  • Payment and sensitive data platforms
  • Enterprise-grade web applications

✅ Tips & Best Practices

  • Always deploy behind HTTPS using a trusted certificate.
  • Review security headers after each deployment.
  • Log authentication failures and suspicious behavior.

? Try It Yourself

  • Deploy a test Django app and enable all listed security settings.
  • Use browser dev tools to inspect security headers.
  • Experiment with CSP rules and observe blocked scripts.