Django

Django Security

CSRF, XSS, clickjacking, and secure settings

Django Security

  • CSRF — token on POST forms; middleware validates
  • XSS — templates auto-escape variables; avoid |safe on user HTML
  • SQL injection — ORM uses parameterized queries
  • ClickjackingXFrameOptionsMiddleware
# Production settings excerpt
DEBUG = False
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_HSTS_SECONDS = 31536000