django-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# Django Security Audit
Audit Django applications including DRF (Django REST Framework) APIs.
## When this skill applies
- Reviewing Django `settings.py` files
- Auditing views, models, and templates
- Reviewing DRF serializers and viewsets
- Checking authentication and permission classes
- Auditing Django Admin exposure
## Workflow
Follow `../_shared/audit-workflow.md`.
### Phase 1: Stack detection
```bash
grep -E '^Django|django' requirements.txt pyproject.toml 2>/dev/null
find . -name 'manage.py' -not -path '*/.venv/*'
find . -name 'settings.py' -o -name 'settings/*.py' 2>/dev/null
python -c "import django; print(django.get_version())" 2>/dev/null
```
### Phase 2: Inventory
```bash
# Settings files
find . -name 'settings*.py' -not -path '*/.venv/*' -not -path '*/node_modules/*'
# Views
find . -name 'views.py' -o -name 'views/' -type d 2>/dev/null
# URL configurations
find . -name 'urls.py' 2>/dev/null
# Raw SQL usage
grep -rn '\.raw(\|cursor()\|connection\.cursor' . --include='*.py' 2>/dev/null
# Template autoescape disabling
grep -rn '|safe\|autoescape off\|mark_safe\|format_html' . --include='*.py' --include='*.html' 2>/dev/null
```
### Phase 3: Detection — the checks
#### `settings.py` audit
- **DJG-SET-1** `SECRET_KEY` from environment variable, not committed:
```python
SECRET_KEY = os.environ['DJANGO_SECRET_KEY']
```
Audit: `git log -p settings.py | grep -i secret_key` — if any historical commit has a real secret, rotate.
- **DJG-SET-2** `DEBUG