Django Security Tips

Feb 2016 Update: I’m excited to tell you all that this blog post has been accepted and published on the Django Girls website here,

The following is a document I compiled for a friend who was starting with Django.

I have been using Django for the last 2 years and have compiled a list of basics to be taken care of to ensure a secure Django app (this is based on experience, to ensure nobody else repeats the mistakes I’ve made)

Some pointers to begin with:

  1. A basic check –
  2. Use Django templates to protect yourself against the majority of XSS attacks
  3. It is always better for security, though not always practical in all cases, to deploy your site behind HTTPS (Set up redirection so that requests over HTTP are redirected to HTTPS)
  4. Session security – I used for my previous Django app
  5. Ensure DEBUG is set to false in on production environment
  6. Be very careful with marking views with the csrf_exempt decorator unless it is absolutely necessary


Choosing an API framework for Django –

We use DRF at work –


Must read:
1. (overview of what Django helps us with)
2. (very informative)

Further reading:

You can rely on answers to common Django problems on Stack overflow (mainly from pydanny and Daniel Roseman)


You may want to add some points that I may have missed out in the comments section 🙂




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s