Security is not an afterthought but is instead integral to the way you write applications. However, being human, it is handy to have a checklist to remind you of the common omissions.
The following points are a bare minimum of security checks that you should perform before making your Django application public:
Don't trust data from a browser, API, or any outside sources: This is a fundamental rule. Make sure you validate and sanitize any outside data.
Don't keep
SECRET_KEY
in version control: As a best practice, pickSECRET_KEY
from the environment. Check out thedjango-environ
package.Don't store passwords in plain text: Store your application password hashes instead. Add a random salt as well.
Don't log any sensitive data: Filter out the confidential data such as credit card details or API keys from your log files.
Any secure transaction or login should use SSL: Be aware that eavesdroppers in the same network as you are could listen to your web traffic if...