Bird
Raised Fist0
Djangoframework~5 mins

Security checklist (manage.py check --deploy) in Django - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of the manage.py check --deploy command in Django?
It runs a security-focused system check to find common deployment issues and suggests fixes to make your Django app safer in production.
Click to reveal answer
beginner
Name two security settings that manage.py check --deploy verifies.
It checks if DEBUG is set to False and if SECURE_SSL_REDIRECT is enabled to force HTTPS connections.
Click to reveal answer
beginner
Why should DEBUG be set to False in production according to the security checklist?
Because DEBUG=True shows detailed error pages that can leak sensitive information to attackers.
Click to reveal answer
intermediate
What does the SECURE_HSTS_SECONDS setting control, and why is it important?
It sets how long browsers should only use HTTPS for your site, helping prevent man-in-the-middle attacks by enforcing secure connections.
Click to reveal answer
beginner
What does the security check say about ALLOWED_HOSTS?
It must be set to a list of valid host/domain names your site can serve to prevent HTTP Host header attacks.
Click to reveal answer
What does manage.py check --deploy primarily check for?
ATemplate syntax errors
BDatabase schema errors
CPerformance bottlenecks
DSecurity and deployment best practices
Which setting should NOT be True in production according to the checklist?
ASECURE_HSTS_SECONDS
BSECURE_SSL_REDIRECT
CDEBUG
DALLOWED_HOSTS
What is the role of SECURE_SSL_REDIRECT?
ARedirect HTTP requests to HTTPS
BDisable SSL encryption
CEnable debug mode
DAllow all hosts
Why must ALLOWED_HOSTS be set properly?
ATo prevent HTTP Host header attacks
BTo enable debug mode
CTo allow database connections
DTo disable SSL
What does SECURE_HSTS_SECONDS help enforce?
ADisabling cookies
BHTTPS-only connections for a set time
CAllowing HTTP connections
DEnabling debug info
Explain the main security checks performed by manage.py check --deploy and why they matter.
Think about what settings protect your app from common attacks and leaks.
You got /5 concepts.
    Describe how you would fix a warning about ALLOWED_HOSTS from the deployment check.
    Consider what hosts your app should trust and serve.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the main purpose of running manage.py check --deploy in a Django project?
      easy
      A. To create a new database migration
      B. To start the Django development server
      C. To find security issues before deploying the site to production
      D. To install required Python packages

      Solution

      1. Step 1: Understand the command's role

        manage.py check --deploy runs checks specifically for security and deployment readiness.

      2. Step 2: Compare with other commands

        Other commands like migrations or server start do not check security issues.

      3. Final Answer:

        To find security issues before deploying the site to production -> Option C

      4. Quick Check:

        Security check = B [OK]
      Hint: Remember: --deploy means check for production security [OK]
      Common Mistakes:
      • Confusing it with migration commands
      • Thinking it starts the server
      • Assuming it installs packages
      2. Which of the following is the correct way to run the security deployment check in Django?
      easy
      A. python manage.py startapp --deploy
      B. python manage.py migrate --deploy
      C. python manage.py runserver --deploy
      D. python manage.py check --deploy

      Solution

      1. Step 1: Identify the correct command syntax

        The command to check security issues is python manage.py check --deploy.

      2. Step 2: Eliminate incorrect options

        Other commands like migrate, runserver, or startapp do not accept --deploy and serve different purposes.

      3. Final Answer:

        python manage.py check --deploy -> Option D

      4. Quick Check:

        Correct command syntax = A [OK]
      Hint: Use 'check' command with --deploy flag for security checks [OK]
      Common Mistakes:
      • Using migrate or runserver with --deploy
      • Mixing up command names
      • Omitting 'python' or 'manage.py'
      3. After running python manage.py check --deploy, you see a warning about SECURE_SSL_REDIRECT not being set. What will happen if you ignore this warning?
      medium
      A. Your site will not redirect HTTP requests to HTTPS, risking insecure connections
      B. Your database migrations will fail
      C. Your static files will not load
      D. Your admin login page will be disabled

      Solution

      1. Step 1: Understand the warning about SECURE_SSL_REDIRECT

        This setting forces HTTP requests to redirect to HTTPS, securing data in transit.

      2. Step 2: Consequences of ignoring the warning

        If not set, users can connect over insecure HTTP, exposing sensitive data.

      3. Final Answer:

        Your site will not redirect HTTP requests to HTTPS, risking insecure connections -> Option A

      4. Quick Check:

        SSL redirect missing = insecure HTTP allowed [OK]
      Hint: SSL redirect warning means HTTP stays open, fix it! [OK]
      Common Mistakes:
      • Thinking it affects database or static files
      • Assuming admin page disables automatically
      • Ignoring HTTPS importance
      4. You ran python manage.py check --deploy and got this error: "Your SECRET_KEY is not set or is insecure." What is the best way to fix this?
      medium
      A. Set a long, random SECRET_KEY in your settings and keep it secret
      B. Remove the SECRET_KEY setting from your settings file
      C. Set SECRET_KEY to 'django-insecure' for simplicity
      D. Ignore the warning; it only affects development

      Solution

      1. Step 1: Understand SECRET_KEY importance

        SECRET_KEY is used for cryptographic signing and must be unique and secret.

      2. Step 2: Fix by setting a strong, random key

        Generate a long random string and set it in settings securely; do not share it.

      3. Final Answer:

        Set a long, random SECRET_KEY in your settings and keep it secret -> Option A

      4. Quick Check:

        Strong SECRET_KEY = A [OK]
      Hint: Never share SECRET_KEY; generate a strong random one [OK]
      Common Mistakes:
      • Using default insecure keys
      • Removing SECRET_KEY setting
      • Ignoring warnings thinking they're only for dev
      5. You want to ensure your Django app is secure for production. Which combination of settings should you verify or enable after running manage.py check --deploy?
      hard
      A. Remove ALLOWED_HOSTS, set DEBUG=True, and disable security middleware
      B. Set SECURE_SSL_REDIRECT=True, SESSION_COOKIE_SECURE=True, and DEBUG=False
      C. Set DEBUG=True, ALLOWED_HOSTS=['*'], and CSRF_COOKIE_SECURE=False
      D. Keep DEBUG=True, set SECURE_HSTS_SECONDS=0, and disable SSL redirect

      Solution

      1. Step 1: Identify secure production settings

        SECURE_SSL_REDIRECT and SESSION_COOKIE_SECURE enforce HTTPS and secure cookies; DEBUG must be False in production.

      2. Step 2: Eliminate insecure options

        Options with DEBUG=True or ALLOWED_HOSTS=['*'] are insecure and should be avoided.

      3. Final Answer:

        Set SECURE_SSL_REDIRECT=True, SESSION_COOKIE_SECURE=True, and DEBUG=False -> Option B

      4. Quick Check:

        Secure settings = C [OK]
      Hint: Disable DEBUG and enable SSL redirect for production [OK]
      Common Mistakes:
      • Leaving DEBUG=True in production
      • Allowing all hosts with ALLOWED_HOSTS=['*']
      • Disabling security middleware