Code Reference

Security

Django · Reference cheat sheet

Security

Django · Reference cheat sheet


📋 Overview

Django provides CSRF protection, XSS escaping, clickjacking headers, host validation, and SSL redirects. Harden production settings (DEBUG=False, secure cookies, HSTS). Treat user input and uploads as hostile; keep secrets out of code and VCS.

🔧 Core concepts

ControlMechanism
CSRFToken + CsrfViewMiddleware
XSSTemplate auto-escape
ClickjackingXFrameOptionsMiddleware
Host headerALLOWED_HOSTS
HTTPSSECURE_SSL_REDIRECT, HSTS
CookiesSECURE / HTTPONLY / SAMESITE
SQLORM parameterization
PasswordsHashers (PBKDF2, Argon2)

django.middleware.security.SecurityMiddleware applies many header redirects.

💡 Examples

Production settings checklist:

DEBUG = False
ALLOWED_HOSTS = ["www.example.com"]
SECURE_SSL_REDIRECT = True
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_CONTENT_TYPE_NOSNIFF = True
SECURE_REFERRER_POLICY = "same-origin"
X_FRAME_OPTIONS = "DENY"
CSRF_TRUSTED_ORIGINS = ["https://www.example.com"]

CSRF in AJAX:

const csrftoken = document.querySelector("[name=csrfmiddlewaretoken]").value;
fetch("/api/item/", {
  method: "POST",
  headers: { "X-CSRFToken": csrftoken, "Content-Type": "application/json" },
  body: JSON.stringify({ title: "Hi" }),
});

Safe vs unsafe:

{{ user_bio }}           {# escaped #}
{{ user_bio|safe }}      {# only if trusted #}

⚠️ Pitfalls

  • DEBUG=True in production leaks traces and settings.
  • Disabling CSRF for “API convenience” on cookie-auth browsers.
  • |safe / mark_safe on user HTML.
  • Open redirects via unvalidated next= parameters.
  • Serving user uploads from the same origin with executable MIME types.

On this page