DjangoHow-ToBeginner · 4 min read

How to Use SSL in Django: Secure Your Site with HTTPS

To use SSL in Django, configure your web server (like Nginx or Apache) to serve your site over HTTPS with a valid SSL certificate, then set Django's SECURE_SSL_REDIRECT = True to force HTTPS. Also, enable security settings like SECURE_HSTS_SECONDS to improve protection.

📐

Syntax

To enable SSL in Django, you mainly adjust settings in your settings.py file and configure your web server to handle SSL certificates.

SECURE_SSL_REDIRECT = True: Redirects all HTTP requests to HTTPS.
SECURE_HSTS_SECONDS = 31536000: Enables HTTP Strict Transport Security (HSTS) for one year.
SECURE_HSTS_INCLUDE_SUBDOMAINS = True: Applies HSTS to all subdomains.
SECURE_HSTS_PRELOAD = True: Allows your site to be included in browsers' preload lists.
SESSION_COOKIE_SECURE = True and CSRF_COOKIE_SECURE = True: Ensure cookies are only sent over HTTPS.

SSL certificates are installed and managed on your web server, not directly in Django.

python

SECURE_SSL_REDIRECT = True
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

💻

Example

This example shows how to configure Django settings for SSL and a simple Nginx server block to serve your Django app over HTTPS using a Let's Encrypt certificate.

plaintext

# settings.py
DEBUG = False
ALLOWED_HOSTS = ['yourdomain.com']

SECURE_SSL_REDIRECT = True
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

# Nginx server block example
server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Output

When accessing http://yourdomain.com, the browser redirects to https://yourdomain.com with a secure SSL connection.

⚠️

Common Pitfalls

Common mistakes when enabling SSL in Django include:

Not setting SECURE_SSL_REDIRECT = True, so HTTP requests are not redirected to HTTPS.
Forgetting to set SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to True, which can expose cookies over insecure connections.
Running Django with DEBUG = True in production, which can leak sensitive info.
Not configuring your web server (Nginx/Apache) properly to handle SSL certificates.
Missing the X-Forwarded-Proto header in proxy setups, causing Django to think requests are not secure.

python

# Wrong: Missing SECURE_SSL_REDIRECT
SECURE_SSL_REDIRECT = False

# Right: Force HTTPS
SECURE_SSL_REDIRECT = True

📊

Quick Reference

Summary tips for using SSL in Django:

Always use a valid SSL certificate on your web server.
Set SECURE_SSL_REDIRECT = True in Django settings.
Enable HSTS with SECURE_HSTS_SECONDS and related settings.
Set SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to True.
Ensure your proxy passes X-Forwarded-Proto header.
Run Django with DEBUG = False in production.

✅

Key Takeaways

Configure your web server with a valid SSL certificate to serve HTTPS.

Set SECURE_SSL_REDIRECT = True in Django to force HTTPS connections.

Enable security settings like HSTS and secure cookies in Django settings.

Ensure proxy headers like X-Forwarded-Proto are correctly set for HTTPS detection.

Never run Django with DEBUG = True in production when using SSL.