0
0
Djangoframework~10 mins

Security checklist (manage.py check --deploy) in Django - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Security checklist (manage.py check --deploy)
Run manage.py check --deploy
Django runs security checks
Check settings for security issues
Report warnings or pass
Fix reported issues
Re-run check until no warnings
This flow shows how running the command triggers Django to check your project settings for common security issues and report warnings to fix.
Execution Sample
Django
python manage.py check --deploy
Runs Django's deployment security checks and reports any security warnings.
Execution Table
StepCheck PerformedSetting CheckedResultAction Suggested
1Check DEBUG modeDEBUGWarning: DEBUG=TrueSet DEBUG=False for production
2Check ALLOWED_HOSTSALLOWED_HOSTSWarning: ALLOWED_HOSTS is emptyAdd your domain names to ALLOWED_HOSTS
3Check SECRET_KEYSECRET_KEYOKNo action needed
4Check CSRF_COOKIE_SECURECSRF_COOKIE_SECUREWarning: FalseSet CSRF_COOKIE_SECURE=True
5Check SESSION_COOKIE_SECURESESSION_COOKIE_SECUREWarning: FalseSet SESSION_COOKIE_SECURE=True
6Check SECURE_HSTS_SECONDSSECURE_HSTS_SECONDSWarning: 0Set SECURE_HSTS_SECONDS > 0
7Check SECURE_CONTENT_TYPE_NOSNIFFSECURE_CONTENT_TYPE_NOSNIFFWarning: FalseSet SECURE_CONTENT_TYPE_NOSNIFF=True
8Check SECURE_BROWSER_XSS_FILTERSECURE_BROWSER_XSS_FILTERWarning: FalseSet SECURE_BROWSER_XSS_FILTER=True
9Check SECURE_SSL_REDIRECTSECURE_SSL_REDIRECTWarning: FalseSet SECURE_SSL_REDIRECT=True
10Check X_FRAME_OPTIONSX_FRAME_OPTIONSOKNo action needed
11Check CSRF_COOKIE_HTTPONLYCSRF_COOKIE_HTTPONLYWarning: FalseSet CSRF_COOKIE_HTTPONLY=True
12Check SESSION_COOKIE_HTTPONLYSESSION_COOKIE_HTTPONLYOKNo action needed
13Check SECURE_REFERRER_POLICYSECURE_REFERRER_POLICYWarning: Not setSet SECURE_REFERRER_POLICY to a safe value
14Check SECURE_PROXY_SSL_HEADERSECURE_PROXY_SSL_HEADERWarning: Not setSet SECURE_PROXY_SSL_HEADER if behind proxy
15Check default password validatorsAUTH_PASSWORD_VALIDATORSOKNo action needed
16SummaryAll checksWarnings foundFix all warnings before deployment
💡 Checks complete; warnings indicate settings to fix for secure deployment
Variable Tracker
SettingInitial ValueAfter Fix 1After Fix 2Final
DEBUGTrueFalseFalseFalse
ALLOWED_HOSTS[]['example.com']['example.com']['example.com']
CSRF_COOKIE_SECUREFalseTrueTrueTrue
SESSION_COOKIE_SECUREFalseTrueTrueTrue
SECURE_HSTS_SECONDS0360036003600
SECURE_CONTENT_TYPE_NOSNIFFFalseTrueTrueTrue
SECURE_BROWSER_XSS_FILTERFalseTrueTrueTrue
SECURE_SSL_REDIRECTFalseTrueTrueTrue
CSRF_COOKIE_HTTPONLYFalseTrueTrueTrue
SECURE_REFERRER_POLICYNone'no-referrer''no-referrer''no-referrer'
SECURE_PROXY_SSL_HEADERNone('HTTP_X_FORWARDED_PROTO', 'https')('HTTP_X_FORWARDED_PROTO', 'https')('HTTP_X_FORWARDED_PROTO', 'https')
Key Moments - 3 Insights
Why does the check warn if DEBUG is True?
DEBUG=True shows detailed error pages to users, which can leak sensitive info. The execution_table row 1 shows this warning and suggests setting DEBUG=False for safety.
What happens if ALLOWED_HOSTS is empty?
An empty ALLOWED_HOSTS means Django will reject all incoming requests in production. Row 2 in the execution_table warns about this and suggests adding your domain names.
Why set CSRF_COOKIE_SECURE and SESSION_COOKIE_SECURE to True?
These settings ensure cookies are only sent over HTTPS, protecting them from being intercepted. Rows 4 and 5 show warnings if these are False.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 6, what is the value of SECURE_HSTS_SECONDS?
A0
B3600
CTrue
DNot set
💡 Hint
Check the 'Result' column in row 6 of the execution_table.
At which step does Django check if SESSION_COOKIE_SECURE is set correctly?
AStep 3
BStep 9
CStep 5
DStep 12
💡 Hint
Look for SESSION_COOKIE_SECURE in the 'Setting Checked' column.
If you fix DEBUG to False, how does the variable_tracker show this change?
ADEBUG stays True
BDEBUG changes from True to False after Fix 1
CDEBUG changes from False to True after Fix 1
DDEBUG is removed
💡 Hint
Check the 'DEBUG' row in variable_tracker from 'Initial Value' to 'After Fix 1'.
Concept Snapshot
Run 'manage.py check --deploy' to scan your Django settings for security issues.
It checks DEBUG, ALLOWED_HOSTS, cookie security, SSL settings, and more.
Warnings tell you what to fix before deploying.
Fix all warnings to make your app safer in production.
Re-run the check until no warnings remain.
Full Transcript
The 'manage.py check --deploy' command runs a series of security checks on your Django project settings. It looks for common mistakes like leaving DEBUG mode on, not setting ALLOWED_HOSTS, or missing secure cookie flags. Each check reports if the setting is safe or needs fixing. For example, DEBUG should be False in production to avoid exposing sensitive info. ALLOWED_HOSTS must list your domain names to accept requests. Secure cookie settings ensure cookies are sent only over HTTPS. The command outputs warnings for each issue found. You fix these in your settings.py file and run the command again until no warnings remain. This helps you prepare your Django app for safe deployment.