Django Tips & Tricks #2 - Quickly Check If Your App Is Ready For Production

3 min read
Before deploying Your Django app, You need to make sure security, logging and other issues are taken care. Django provides a simple deployment checklist which helps a lot. In development version Django provides --deploy option, which does some security checks. You can run it with
python manage.py check --deploy --settings=production_settings
I have just created a new project and Django identified 6 security issues in it.
→ python manage.py check --deploy                               
System check identified some issues:
WARNINGS:
?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE_CLASSES so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings will have no effect.?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W017) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_HTTPONLY to True. Using an HttpOnly CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token.
?: (security.W018) You should not have DEBUG set to True in deployment.
?: (security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE_CLASSES, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.

System check identified 6 issues (0 silenced).

However this doesn't identify issues like absence of 404.html, 500.html templates, email setup, admin emails,  presence of print, pdb statements. There is a Django package called django-production-ready which checks for these issues.

To the new project just created, I have added a new file, which has a print & pdb statements. I have installed django-production ready, added prodready  to installed apps and ran is_it_ready management command which produced a neat log of all issues.
→ python manage.py is_it_ready
--------------------
Production ready: No
--------------------
Possible errors:
    * Enter valid email address in ADMINS section
    * Enter valid email address in MANAGERS section
    * Template 404.html does not exist
    * Template 500.html does not exist
    * Setup E-mail host
    * Set a valid email for SERVER_EMAIL
    * Set a valid email for DEFAULT_FROM_EMAIL
    * You have one or more ipdb import  statements
    * You have one or more print statements
This comes in handy to quickly make sure a lot of issues are taken care and the app is ready for deployment!
Tags: django | django-tips-tricks | python

I am Chillar Anand. I daydream a lot and write about the things that interest me here. You can read more about this blog here.

See all articles

RSS Feed for the blog

Edit this page

Comments

Comments powered by Disqus