So you have finished your Django app, after months of development, and you are ready to go live. Up until now, you've been running the app in development mode. There are a few settings that you would need to change before you can go live safely.
In this post, I will go through what I consider fundamental production settings. Nevertheless, the more complex your app, the more settings you would need to differentiate between a development and a production environment. If your app is complex, this is not a comprehensive guide for the production configuration of a Django app, rather than an essential configuration for a production environment.
Maybe the most important setting you would need to turn off before going into production.
The default value when you create a Django project is
DEBUG = true in the
settings.py accompanied by a warning to turn it off in the production. This setting is responsible for pretty-printing the error messages when something goes wrong. And even though this is extremely useful while developing an app because it's showing the stack trace along with other debug data, it's extremely dangerous information to be shown in production.
I usually set an environment variable that stores what environment is the current one. Having this information, I enable debugging only in the non-prod environments.
SECRET_KEY variable is a cryptographic key used in the encryption of the user sessions. This has nothing to do with how the passwords are stored in the database, but is super sensitive and should be stored secret. If this is compromised the user sessions and cookies should not be considered secure and you should change the secret immediately.
When creating a new Django project, you are provided with an initial key that should be used in development. When going into production, you should generate a new secret key and store it in an environment variable to use it only there.
Django provides a function you can use to generate a new secret key. Simply run the following command in your Python virtual environment, and store the result in an environment variable:
python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'
settings.py use the following code to set the secret key in the production environment. The default value is the one to use in the development/local environment.
SECRET_KEY = os.environ.get("SECRET_KEY", default="django-insecure-XY")
Finally, there's a list of the allowed hosts that the app should be running. It's a common practice to set a wildcard allow-all ("*") when starting development, but this should change before going into production. Be sure to set the exact domains that you are planning to run your app since this can be used to protect you against some CSRF attacks.
Even though these are what I consider the essential settings to take care of before going into production, Django has a complete deployment checklist that I strongly recommend going through. This checklist contains not only settings for the security of your app, but for optimizing it as well.