django-security
Django security best practices, authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configurations.
Django Security Best Practices
Comprehensive security guidelines for Django applications to protect against common vulnerabilities.
When to Activate
- Setting up Django authentication and authorization
- Implementing user permissions and roles
- Configuring production security settings
- Reviewing Django application for security issues
- Deploying Django applications to production
Core Security Settings
Production Settings Configuration
import os
DEBUG = False # CRITICAL: Never use True in production
ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', '').split(',')
# Security headersSECURE_SSL_REDIRECT = TrueSESSION_COOKIE_SECURE = TrueCSRF_COOKIE_SECURE = TrueSECURE_HSTS_SECONDS = 31536000 # 1 yearSECURE_HSTS_INCLUDE_SUBDOMAINS = TrueSECURE_HSTS_PRELOAD = TrueSECURE_CONTENT_TYPE_NOSNIFF = TrueSECURE_BROWSER_XSS_FILTER = TrueX_FRAME_OPTIONS = 'DENY'
# HTTPS and CookiesSESSION_COOKIE_HTTPONLY = TrueCSRF_COOKIE_HTTPONLY = TrueSESSION_COOKIE_SAMESITE = 'Lax'CSRF_COOKIE_SAMESITE = 'Lax'
# Secret key (must be set via environment variable)SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY')if not SECRET_KEY: raise ImproperlyConfigured('DJANGO_SECRET_KEY environment variable is required')
# Password validationAUTH_PASSWORD_VALIDATORS = [ { 'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator', }, { 'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator', 'OPTIONS': { 'min_length': 12, } }, { 'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator', }, { 'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator', },]Authentication
Custom User Model
from django.contrib.auth.models import AbstractUserfrom django.db import models
class User(AbstractUser): """Custom user model for better security."""
email = models.EmailField(unique=True) phone = models.CharField(max_length=20, blank=True)
USERNAME_FIELD = 'email' # Use email as username REQUIRED_FIELDS = ['username']
class Meta: db_table = 'users' verbose_name = 'User' verbose_name_plural = 'Users'
def __str__(self): return self.email
# settings/base.pyAUTH_USER_MODEL = 'users.User'Password Hashing
# Django uses PBKDF2 by default. For stronger security:PASSWORD_HASHERS = [ 'django.contrib.auth.hashers.Argon2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2PasswordHasher', 'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher', 'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',]Session Management
# Session configurationSESSION_ENGINE = 'django.contrib.sessions.backends.cache' # Or 'db'SESSION_CACHE_ALIAS = 'default'SESSION_COOKIE_AGE = 3600 * 24 * 7 # 1 weekSESSION_SAVE_EVERY_REQUEST = FalseSESSION_EXPIRE_AT_BROWSER_CLOSE = False # Better UX, but less secureAuthorization
Permissions
from django.db import modelsfrom django.contrib.auth.models import Permission
class Post(models.Model): title = models.CharField(max_length=200) content = models.TextField() author = models.ForeignKey(User, on_delete=models.CASCADE)
class Meta: permissions = [ ('can_publish', 'Can publish posts'), ('can_edit_others', 'Can edit posts of others'), ]
def user_can_edit(self, user): """Check if user can edit this post.""" return self.author == user or user.has_perm('app.can_edit_others')
# views.pyfrom django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixinfrom django.views.generic import UpdateView
class PostUpdateView(LoginRequiredMixin, PermissionRequiredMixin, UpdateView): model = Post permission_required = 'app.can_edit_others' raise_exception = True # Return 403 instead of redirect
def get_queryset(self): """Only allow users to edit their own posts.""" return Post.objects.filter(author=self.request.user)Custom Permissions
from rest_framework import permissions
class IsOwnerOrReadOnly(permissions.BasePermission): """Allow only owners to edit objects."""
def has_object_permission(self, request, view, obj): # Read permissions allowed for any request if request.method in permissions.SAFE_METHODS: return True
# Write permissions only for owner return obj.author == request.user
class IsAdminOrReadOnly(permissions.BasePermission): """Allow admins to do anything, others read-only."""
def has_permission(self, request, view): if request.method in permissions.SAFE_METHODS: return True return request.user and request.user.is_staff
class IsVerifiedUser(permissions.BasePermission): """Allow only verified users."""
def has_permission(self, request, view): return request.user and request.user.is_authenticated and request.user.is_verifiedRole-Based Access Control (RBAC)
from django.contrib.auth.models import AbstractUser, Group
class User(AbstractUser): ROLE_CHOICES = [ ('admin', 'Administrator'), ('moderator', 'Moderator'), ('user', 'Regular User'), ] role = models.CharField(max_length=20, choices=ROLE_CHOICES, default='user')
def is_admin(self): return self.role == 'admin' or self.is_superuser
def is_moderator(self): return self.role in ['admin', 'moderator']
# Mixinsclass AdminRequiredMixin: """Mixin to require admin role."""
def dispatch(self, request, *args, **kwargs): if not request.user.is_authenticated or not request.user.is_admin(): from django.core.exceptions import PermissionDenied raise PermissionDenied return super().dispatch(request, *args, **kwargs)SQL Injection Prevention
Django ORM Protection
# GOOD: Django ORM automatically escapes parametersdef get_user(username): return User.objects.get(username=username) # Safe
# GOOD: Using parameters with raw()def search_users(query): return User.objects.raw('SELECT * FROM users WHERE username = %s', [query])
# BAD: Never directly interpolate user inputdef get_user_bad(username): return User.objects.raw(f'SELECT * FROM users WHERE username = {username}') # VULNERABLE!
# GOOD: Using filter with proper escapingdef get_users_by_email(email): return User.objects.filter(email__iexact=email) # Safe
# GOOD: Using Q objects for complex queriesfrom django.db.models import Qdef search_users_complex(query): return User.objects.filter( Q(username__icontains=query) | Q(email__icontains=query) ) # SafeExtra Security with raw()
# If you must use raw SQL, always use parametersUser.objects.raw( 'SELECT * FROM users WHERE email = %s AND status = %s', [user_input_email, status])XSS Prevention
Template Escaping
{# Django auto-escapes variables by default - SAFE #}{{ user_input }} {# Escaped HTML #}
{# Explicitly mark safe only for trusted content #}{{ trusted_html|safe }} {# Not escaped #}
{# Use template filters for safe HTML #}{{ user_input|escape }} {# Same as default #}{{ user_input|striptags }} {# Remove all HTML tags #}
{# JavaScript escaping #}<script> var username = {{ username|escapejs }};</script>Safe String Handling
from django.utils.safestring import mark_safefrom django.utils.html import escape
# BAD: Never mark user input as safe without escapingdef render_bad(user_input): return mark_safe(user_input) # VULNERABLE!
# GOOD: Escape first, then mark safedef render_good(user_input): return mark_safe(escape(user_input))
# GOOD: Use format_html for HTML with variablesfrom django.utils.html import format_html
def greet_user(username): return format_html('<span class="user">{}</span>', escape(username))HTTP Headers
SECURE_CONTENT_TYPE_NOSNIFF = True # Prevent MIME sniffingSECURE_BROWSER_XSS_FILTER = True # Enable XSS filterX_FRAME_OPTIONS = 'DENY' # Prevent clickjacking
# Custom middlewarefrom django.conf import settings
class SecurityHeaderMiddleware: def __init__(self, get_response): self.get_response = get_response
def __call__(self, request): response = self.get_response(request) response['X-Content-Type-Options'] = 'nosniff' response['X-Frame-Options'] = 'DENY' response['X-XSS-Protection'] = '1; mode=block' response['Content-Security-Policy'] = "default-src 'self'" return responseCSRF Protection
Default CSRF Protection
# settings.py - CSRF is enabled by defaultCSRF_COOKIE_SECURE = True # Only send over HTTPSCSRF_COOKIE_HTTPONLY = True # Prevent JavaScript accessCSRF_COOKIE_SAMESITE = 'Lax' # Prevent CSRF in some casesCSRF_TRUSTED_ORIGINS = ['https://example.com'] # Trusted domains
# Template usage<form method="post"> {% csrf_token %} {{ form.as_p }} <button type="submit">Submit</button></form>
# AJAX requestsfunction getCookie(name) { let cookieValue = null; if (document.cookie && document.cookie !== '') { const cookies = document.cookie.split(';'); for (let i = 0; i < cookies.length; i++) { const cookie = cookies[i].trim(); if (cookie.substring(0, name.length + 1) === (name + '=')) { cookieValue = decodeURIComponent(cookie.substring(name.length + 1)); break; } } } return cookieValue;}
fetch('/api/endpoint/', { method: 'POST', headers: { 'X-CSRFToken': getCookie('csrftoken'), 'Content-Type': 'application/json', }, body: JSON.stringify(data)});Exempting Views (Use Carefully)
from django.views.decorators.csrf import csrf_exempt
@csrf_exempt # Only use when absolutely necessary!def webhook_view(request): # Webhook from external service passFile Upload Security
File Validation
import osfrom django.core.exceptions import ValidationError
def validate_file_extension(value): """Validate file extension.""" ext = os.path.splitext(value.name)[1] valid_extensions = ['.jpg', '.jpeg', '.png', '.gif', '.pdf'] if not ext.lower() in valid_extensions: raise ValidationError('Unsupported file extension.')
def validate_file_size(value): """Validate file size (max 5MB).""" filesize = value.size if filesize > 5 * 1024 * 1024: raise ValidationError('File too large. Max size is 5MB.')
# models.pyclass Document(models.Model): file = models.FileField( upload_to='documents/', validators=[validate_file_extension, validate_file_size] )Secure File Storage
MEDIA_ROOT = '/var/www/media/'MEDIA_URL = '/media/'
# Use a separate domain for media in productionMEDIA_DOMAIN = 'https://media.example.com'
# Don't serve user uploads directly# Use whitenoise or a CDN for static files# Use a separate server or S3 for media filesAPI Security
Rate Limiting
REST_FRAMEWORK = { 'DEFAULT_THROTTLE_CLASSES': [ 'rest_framework.throttling.AnonRateThrottle', 'rest_framework.throttling.UserRateThrottle' ], 'DEFAULT_THROTTLE_RATES': { 'anon': '100/day', 'user': '1000/day', 'upload': '10/hour', }}
# Custom throttlefrom rest_framework.throttling import UserRateThrottle
class BurstRateThrottle(UserRateThrottle): scope = 'burst' rate = '60/min'
class SustainedRateThrottle(UserRateThrottle): scope = 'sustained' rate = '1000/day'Authentication for APIs
REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': [ 'rest_framework.authentication.TokenAuthentication', 'rest_framework.authentication.SessionAuthentication', 'rest_framework_simplejwt.authentication.JWTAuthentication', ], 'DEFAULT_PERMISSION_CLASSES': [ 'rest_framework.permissions.IsAuthenticated', ],}
# views.pyfrom rest_framework.decorators import api_view, permission_classesfrom rest_framework.permissions import IsAuthenticated
@api_view(['GET', 'POST'])@permission_classes([IsAuthenticated])def protected_view(request): return Response({'message': 'You are authenticated'})Security Headers
Content Security Policy
CSP_DEFAULT_SRC = "'self'"CSP_SCRIPT_SRC = "'self' https://cdn.example.com"CSP_STYLE_SRC = "'self' 'unsafe-inline'"CSP_IMG_SRC = "'self' data: https:"CSP_CONNECT_SRC = "'self' https://api.example.com"
# Middlewareclass CSPMiddleware: def __init__(self, get_response): self.get_response = get_response
def __call__(self, request): response = self.get_response(request) response['Content-Security-Policy'] = ( f"default-src {CSP_DEFAULT_SRC}; " f"script-src {CSP_SCRIPT_SRC}; " f"style-src {CSP_STYLE_SRC}; " f"img-src {CSP_IMG_SRC}; " f"connect-src {CSP_CONNECT_SRC}" ) return responseEnvironment Variables
Managing Secrets
# Use python-decouple or django-environimport environ
env = environ.Env( # set casting, default value DEBUG=(bool, False))
# reading .env fileenviron.Env.read_env()
SECRET_KEY = env('DJANGO_SECRET_KEY')DATABASE_URL = env('DATABASE_URL')ALLOWED_HOSTS = env.list('ALLOWED_HOSTS')
# .env file (never commit this)DEBUG=FalseSECRET_KEY=your-secret-key-hereDATABASE_URL=postgresql://user:password@localhost:5432/dbnameALLOWED_HOSTS=example.com,www.example.comLogging Security Events
LOGGING = { 'version': 1, 'disable_existing_loggers': False, 'handlers': { 'file': { 'level': 'WARNING', 'class': 'logging.FileHandler', 'filename': '/var/log/django/security.log', }, 'console': { 'level': 'INFO', 'class': 'logging.StreamHandler', }, }, 'loggers': { 'django.security': { 'handlers': ['file', 'console'], 'level': 'WARNING', 'propagate': True, }, 'django.request': { 'handlers': ['file'], 'level': 'ERROR', 'propagate': False, }, },}Quick Security Checklist
| Check | Description |
|---|---|
DEBUG = False | Never run with DEBUG in production |
| HTTPS only | Force SSL, secure cookies |
| Strong secrets | Use environment variables for SECRET_KEY |
| Password validation | Enable all password validators |
| CSRF protection | Enabled by default, don’t disable |
| XSS prevention | Django auto-escapes, don’t use |safe with user input |
| SQL injection | Use ORM, never concatenate strings in queries |
| File uploads | Validate file type and size |
| Rate limiting | Throttle API endpoints |
| Security headers | CSP, X-Frame-Options, HSTS |
| Logging | Log security events |
| Updates | Keep Django and dependencies updated |
Remember: Security is a process, not a product. Regularly review and update your security practices.