django-security

# Django Security Best Practices Comprehensive security guidelines for Django applications to protect against common vulnerabilities. ## When to Activate - Setting up Django authentication and authorization - Implementing user permissions and roles - Configuring production security settings - Reviewing Django application for security issues - Deploying Django applications to production ## Core Security Settings ### Production Settings Configuration ```python # settings/production.py import os DEBUG = False # CRITICAL: Never use True in production ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', '').split(',') # Security headers SECURE_SSL_REDIRECT = True SESSION_COOKIE_SECURE = True CSRF_COOKIE_SECURE = True SECURE_HSTS_SECONDS = 31536000 # 1 year SECURE_HSTS_INCLUDE_SUBDOMAINS = True SECURE_HSTS_PRELOAD = True SECURE_CONTENT_TYPE_NOSNIFF = True SECURE_BROWSER_XSS_FILTER = True X_FRAME_OPTIONS = 'DENY' # HTTPS and Cookies SESSION_COOKIE_HTTPONLY = True CSRF_COOKIE_HTTPONLY = True SESSION_COOKIE_SAMESITE = 'Lax' CSRF_COOKIE_SAMESITE = 'Lax' # Secret key (must be set via environment variable) SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY') if not SECRET_KEY: raise ImproperlyConfigured('DJANGO_SECRET_KEY environment variable is required') # Password validation AUTH_PASSWORD_VALIDATORS = [ { 'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator', }, { 'NAM...