Security is one of those areas where it is very hard to know if everything is taken care of. So you have been working on this project for a while and you want to deploy it into a production server, there are several settings on this new environment that should differ from your development one.
Since this is very common situation and there are many examples of misconfigurations that later turned to security issues, django has a security checklist (since version 1.8) to remind you of some basic aspects (mostly on/off switches) that you should make sure that are set correctly.
To run it on your project you simply have to execute the following command:
$python manage.py check --deploy
After the verification you will be presented with warnings like this one:
(security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
More information can be found in the documentation, since it uses the check framework, that has several interesting use cases.
Interested in more information about security in django? Check this video from the last edition of “Django Under the Hood“.
