linuxkathirvel/security-configurations-in-django-while-deploying-on-production.md

## security-configurations-in-django-while-deploying-on-production.md

      
    Raw
  

              security-configurations-in-django-while-deploying-on-production.md
            
          
    Security configurations in Django while deploying on production

I am using below settings to secure Django application with Gunicorn+NGINX
Configurations on Django side

in settings.py

# https://docs.djangoproject.com/en/3.1/ref/settings/#allowed-hosts
ALLOWED_HOSTS = ['localhost', '127.0.0.1', 'your-django-site-domain.com']
# https://docs.djangoproject.com/en/3.1/ref/settings/#debug
DEBUG = False
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-hsts-seconds
SECURE_HSTS_SECONDS = 3600
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-hsts-preload
SECURE_HSTS_PRELOAD = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-hsts-include-subdomains
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-content-type-nosniff
SECURE_CONTENT_TYPE_NOSNIFF = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-browser-xss-filter
SECURE_BROWSER_XSS_FILTER = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#session-cookie-secure
SESSION_COOKIE_SECURE = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#csrf-cookie-secure 
CSRF_COOKIE_SECURE = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#x-frame-options
X_FRAME_OPTIONS = 'DENY'
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-ssl-redirect
SECURE_SSL_REDIRECT = True
# https://docs.djangoproject.com/en/3.1/ref/settings/#secure-proxy-ssl-header
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

Remove/comment print statement in views.py and other files also

Gunicorn side

put 127.0.0.1:port_number to --bind argument like below

/data/kathirvel/django-env/bin/gunicorn django_app_name.wsgi --workers=2 --bind=127.0.0.1:8004 --timeout=1000000

NGINX side

NGINX configuration file can be like below

server {
        listen 80;
        server_name your-site-domain.com;
        return 301 https://your-site-domain.com;
        client_max_body_size 1024M;
}
server {
        listen 443 ssl default_server;
        ssl on;
        ssl_certificate /ssl/your-site-domain.com.cer;
        ssl_certificate_key /ssl/your-site-domain.com.key;
        # substitute by your FQDN and machine's IP address
        server_name your-site-domain.com;
        client_max_body_size 1024M;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        location / {
                proxy_pass http://127.0.0.1:8000;
                proxy_redirect off;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_read_timeout 100000000;
        }
}