Django Tips & Tricks #2 - Quickly Check If Your App Is Ready For Production


Before deploying Your Django app, You need to make sure security, logging and other issues are taken care. Django provides a simple deployment checklist which helps a lot. In development version Django provides --deploy option, which does some security checks. You can run it with
python manage.py check --deploy --settings=production_settings
I have just created a new project and Django identified 6 security issues in it.
→ python manage.py check --deploy                               
System check identified some issues:
WARNINGS:
?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE_CLASSES so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings will have no effect.?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W017) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_HTTPONLY to True. Using an HttpOnly CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token.
?: (security.W018) You should not have DEBUG set to True in deployment.
?: (security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE_CLASSES, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.

System check identified 6 issues (0 silenced).

However this doesn't identify issues like absence of 404.html, 500.html templates, email setup, admin emails,  presence of print, pdb statements. There is a Django package called django-production-ready which checks for these issues.

To the new project just created, I have added a new file, which has a print & pdb statements. I have installed django-production ready, added prodready  to installed apps and ran is_it_ready management command which produced a neat log of all issues.
→ python manage.py is_it_ready
--------------------
Production ready: No
--------------------
Possible errors:
    * Enter valid email address in ADMINS section
    * Enter valid email address in MANAGERS section
    * Template 404.html does not exist
    * Template 500.html does not exist
    * Setup E-mail host
    * Set a valid email for SERVER_EMAIL
    * Set a valid email for DEFAULT_FROM_EMAIL
    * You have one or more ipdb import  statements
    * You have one or more print statements
This comes in handy to quickly make sure a lot of issues are taken care and the app is ready for deployment!


I am Chillar Anand. I daydream a lot and write about the things that interest me here. You can read more about this blog here.

See all articles

RSS Feed for the blog

Edit this page