1. ====================

  2. Deployment checklist

  3. ====================

  4. 

  5. The internet is a hostile environment. Before deploying your Django project,

  6. you should take some time to review your settings, with security, performance,

  7. and operations in mind.

  8. 

  9. Django includes many :doc:`security features </topics/security>`. Some are

  10. built-in and always enabled. Others are optional because they aren't always

  11. appropriate, or because they're inconvenient for development. For example,

  12. forcing HTTPS may not be suitable for all websites, and it's impractical for

  13. local development.

  14. 

  15. Performance optimizations are another category of trade-offs with convenience.

  16. For instance, caching is useful in production, less so for local development.

  17. Error reporting needs are also widely different.

  18. 

  19. The following checklist includes settings that:

  20. 

  21. - must be set properly for Django to provide the expected level of security;

  22. - are expected to be different in each environment;

  23. - enable optional security features;

  24. - enable performance optimizations;

  25. - provide error reporting.

  26. 

  27. Many of these settings are sensitive and should be treated as confidential. If

  28. you're releasing the source code for your project, a common practice is to

  29. publish suitable settings for development, and to use a private settings

  30. module for production.

  31. 

  32. Run ``manage.py check --deploy``

  33. ================================

  34. 

  35. Some of the checks described below can be automated using the :option:`check

  36. --deploy` option. Be sure to run it against your production settings file as

  37. described in the option's documentation.

  38. 

  39. Critical settings

  40. =================

  41. 

  42. :setting:`SECRET_KEY`

  43. ---------------------

  44. 

  45. **The secret key must be a large random value and it must be kept secret.**

  46. 

  47. Make sure that the key used in production isn't used anywhere else and avoid

  48. committing it to source control. This reduces the number of vectors from which

  49. an attacker may acquire the key.

  50. 

  51. Instead of hardcoding the secret key in your settings module, consider loading

  52. it from an environment variable::

  53. 

  54.     import os

  55.     SECRET_KEY = os.environ['SECRET_KEY']

  56. 

  57. or from a file::

  58. 

  59.     with open('/etc/secret_key.txt') as f:

  60.         SECRET_KEY = f.read().strip()

  61. 

  62. If rotating secret keys, you may use :setting:`SECRET_KEY_FALLBACKS`::

  63. 

  64.     import os

  65.     SECRET_KEY = os.environ['CURRENT_SECRET_KEY']

  66.     SECRET_KEY_FALLBACKS = [

  67.         os.environ['OLD_SECRET_KEY'],

  68.     ]

  69. 

  70. Ensure that old secret keys are removed from ``SECRET_KEY_FALLBACKS`` in a

  71. timely manner.

  72. 

  73. .. versionchanged:: 4.1

  74. 

  75.     The ``SECRET_KEY_FALLBACKS`` setting was added to support rotating secret

  76.     keys.

  77. 

  78. :setting:`DEBUG`

  79. ----------------

  80. 

  81. **You must never enable debug in production.**

  82. 

  83. You're certainly developing your project with :setting:`DEBUG = True <DEBUG>`,

  84. since this enables handy features like full tracebacks in your browser.

  85. 

  86. For a production environment, though, this is a really bad idea, because it

  87. leaks lots of information about your project: excerpts of your source code,

  88. local variables, settings, libraries used, etc.

  89. 

  90. Environment-specific settings

  91. =============================

  92. 

  93. :setting:`ALLOWED_HOSTS`

  94. ------------------------

  95. 

  96. When :setting:`DEBUG = False <DEBUG>`, Django doesn't work at all without a

  97. suitable value for :setting:`ALLOWED_HOSTS`.

  98. 

  99. This setting is required to protect your site against some CSRF attacks. If

  100. you use a wildcard, you must perform your own validation of the ``Host`` HTTP

  101. header, or otherwise ensure that you aren't vulnerable to this category of

  102. attacks.

  103. 

  104. You should also configure the web server that sits in front of Django to

  105. validate the host. It should respond with a static error page or ignore

  106. requests for incorrect hosts instead of forwarding the request to Django. This

  107. way you'll avoid spurious errors in your Django logs (or emails if you have

  108. error reporting configured that way). For example, on nginx you might set up a

  109. default server to return "444 No Response" on an unrecognized host:

  110. 

  111. .. code-block:: nginx

  112. 

  113.     server {

  114.         listen 80 default_server;

  115.         return 444;

  116.     }

  117. 

  118. :setting:`CACHES`

  119. -----------------

  120. 

  121. If you're using a cache, connection parameters may be different in development

  122. and in production. Django defaults to per-process :ref:`local-memory caching

  123. <local-memory-caching>` which may not be desirable.

  124. 

  125. Cache servers often have weak authentication. Make sure they only accept

  126. connections from your application servers.

  127. 

  128. :setting:`DATABASES`

  129. --------------------

  130. 

  131. Database connection parameters are probably different in development and in

  132. production.

  133. 

  134. Database passwords are very sensitive. You should protect them exactly like

  135. :setting:`SECRET_KEY`.

  136. 

  137. For maximum security, make sure database servers only accept connections from

  138. your application servers.

  139. 

  140. If you haven't set up backups for your database, do it right now!

  141. 

  142. :setting:`EMAIL_BACKEND` and related settings

  143. ---------------------------------------------

  144. 

  145. If your site sends emails, these values need to be set correctly.

  146. 

  147. By default, Django sends email from webmaster@localhost and root@localhost.

  148. However, some mail providers reject email from these addresses. To use

  149. different sender addresses, modify the :setting:`DEFAULT_FROM_EMAIL` and

  150. :setting:`SERVER_EMAIL` settings.

  151. 

  152. :setting:`STATIC_ROOT` and :setting:`STATIC_URL`

  153. ------------------------------------------------

  154. 

  155. Static files are automatically served by the development server. In

  156. production, you must define a :setting:`STATIC_ROOT` directory where

  157. :djadmin:`collectstatic` will copy them.

  158. 

  159. See :doc:`/howto/static-files/index` for more information.

  160. 

  161. :setting:`MEDIA_ROOT` and :setting:`MEDIA_URL`

  162. ----------------------------------------------

  163. 

  164. Media files are uploaded by your users. They're untrusted! Make sure your web

  165. server never attempts to interpret them. For instance, if a user uploads a

  166. ``.php`` file, the web server shouldn't execute it.

  167. 

  168. Now is a good time to check your backup strategy for these files.

  169. 

  170. HTTPS

  171. =====

  172. 

  173. Any website which allows users to log in should enforce site-wide HTTPS to

  174. avoid transmitting access tokens in clear. In Django, access tokens include

  175. the login/password, the session cookie, and password reset tokens. (You can't

  176. do much to protect password reset tokens if you're sending them by email.)

  177. 

  178. Protecting sensitive areas such as the user account or the admin isn't

  179. sufficient, because the same session cookie is used for HTTP and HTTPS. Your

  180. web server must redirect all HTTP traffic to HTTPS, and only transmit HTTPS

  181. requests to Django.

  182. 

  183. Once you've set up HTTPS, enable the following settings.

  184. 

  185. :setting:`CSRF_COOKIE_SECURE`

  186. -----------------------------

  187. 

  188. Set this to ``True`` to avoid transmitting the CSRF cookie over HTTP

  189. accidentally.

  190. 

  191. :setting:`SESSION_COOKIE_SECURE`

  192. --------------------------------

  193. 

  194. Set this to ``True`` to avoid transmitting the session cookie over HTTP

  195. accidentally.

  196. 

  197. Performance optimizations

  198. =========================

  199. 

  200. Setting :setting:`DEBUG = False <DEBUG>` disables several features that are

  201. only useful in development. In addition, you can tune the following settings.

  202. 

  203. Sessions

  204. --------

  205. 

  206. Consider using :ref:`cached sessions <cached-sessions-backend>` to improve

  207. performance.

  208. 

  209. If using database-backed sessions, regularly :ref:`clear old sessions

  210. <clearing-the-session-store>` to avoid storing unnecessary data.

  211. 

  212. :setting:`CONN_MAX_AGE`

  213. -----------------------

  214. 

  215. Enabling :ref:`persistent database connections

  216. <persistent-database-connections>` can result in a nice speed-up when

  217. connecting to the database accounts for a significant part of the request

  218. processing time.

  219. 

  220. This helps a lot on virtualized hosts with limited network performance.

  221. 

  222. :setting:`TEMPLATES`

  223. --------------------

  224. 

  225. Enabling the cached template loader often improves performance drastically, as

  226. it avoids compiling each template every time it needs to be rendered. When

  227. :setting:`DEBUG = False <DEBUG>`, the cached template loader is enabled

  228. automatically. See :class:`django.template.loaders.cached.Loader` for more

  229. information.

  230. 

  231. Error reporting

  232. ===============

  233. 

  234. By the time you push your code to production, it's hopefully robust, but you

  235. can't rule out unexpected errors. Thankfully, Django can capture errors and

  236. notify you accordingly.

  237. 

  238. :setting:`LOGGING`

  239. ------------------

  240. 

  241. Review your logging configuration before putting your website in production,

  242. and check that it works as expected as soon as you have received some traffic.

  243. 

  244. See :doc:`/topics/logging` for details on logging.

  245. 

  246. :setting:`ADMINS` and :setting:`MANAGERS`

  247. -----------------------------------------

  248. 

  249. :setting:`ADMINS` will be notified of 500 errors by email.

  250. 

  251. :setting:`MANAGERS` will be notified of 404 errors.

  252. :setting:`IGNORABLE_404_URLS` can help filter out spurious reports.

  253. 

  254. See :doc:`/howto/error-reporting` for details on error reporting by email.

  255. 

  256. .. admonition:: Error reporting by email doesn't scale very well

  257. 

  258.     Consider using an error monitoring system such as Sentry_ before your

  259.     inbox is flooded by reports. Sentry can also aggregate logs.

  260. 

  261.     .. _Sentry: https://docs.sentry.io/

  262. 

  263. Customize the default error views

  264. ---------------------------------

  265. 

  266. Django includes default views and templates for several HTTP error codes. You

  267. may want to override the default templates by creating the following templates

  268. in your root template directory: ``404.html``, ``500.html``, ``403.html``, and

  269. ``400.html``. The :ref:`default error views <error-views>` that use these

  270. templates should suffice for 99% of web applications, but you can

  271. :ref:`customize them <customizing-error-views>` as well.
About Sign Up Leave Feedback Contact