When DEBUG = False
, Django doesn't work at all without a suitable value for ALLOWED_HOSTS
. This setting is required to protect your site against some CSRF attacks. If you use a wildcard, you must perform your own validation of the Host
HTTP header, or otherwise ensure that you aren't vulnerable to this category of attack.
If you're using a cache, connection parameters may be different in development and in production. Cache servers often have weak authentication. Make sure they only accept connections from your application servers. If you're using Memcached, consider using cached sessions to improve performance.
Database connection parameters are probably different in development and in production. Database passwords are very sensitive. You should protect them exactly like SECRET_KEY
. For maximum security, make sure database servers only accept connections from your application servers. If you haven't set up backups for your database...