Django ALLOWED_HOSTS

This article shows how to take your Django website, get it ready for public release, set ALLOWED_HOSTS, and fix expected major issues during web deployment with Django.

Fix the Major Deployment Issues and Set ALLOWED_HOSTS in Django

You need to configure a few key settings to have a secure website, a website that is stable in a user-friendly website. Let’s look at how to do it without getting an error.

Suppose we have a website called example in this URL example.domains, and we ssh into that server. We have our basic Django project infrastructure in this user’s home directory.

/home/example/exampledomains

So now we will be doing many of our changes inside the project directory, and then in there, we have the settings.py file. That brings us to the first configuration setting that we want to set, hiding the SECRET_KEY.

Follow inside your settings.py SECRET_KEY equals some long string of characters, numbers and symbols, so what will we do with this file? As you can see by the comment (it’s not secure for production).

Now we want to do something different, we want to read the SECRET_KEY from a file, and we can do that with the two lines of code below. We will copy our SECRET_KEY in the secret_key.txt file and then create a file called secret_key.txt in the root of our project directory containing the secret key.

So it’s navigating to that path on our system, opening the file, reading the secret key, and assigning it to the variable SECRET_KEY.

Let’s go ahead and save that file in the root of our project directory.

with open(os.path.join(BASE_DIR, "secret_key.txt")) as f:
    SECRET_KEY = f.read().strip()

We need to add some additional HTTPS settings to our settings.py file, so open up your settings.py file and scroll down to the bottom. We need to add these three variables and set them equal to True.

The SESSION_COOKIES_SECURE makes sure that your cookies are being served over HTTP, similar to CSRF_COOKIES_SECURE that your CSRF cookies are being secured and served over HTTPS. The third variable, called SECURE_SSL_REDIRECT, ensures that all of your traffic is redirected from HTTP to HTTPS.

SESSION_COOKIES_SECURE = True
CSRF_COOKIES_SECURE = True
SECURE_SSL_REDIRECT = True

Next, we need to similarly add some HSTS settings to our settings.py file. If you are not familiar with HSTS, it stands for HTTP strict transport security.

HSTS is essentially adding some information to the header of your request, which says that browsers should not and cannot connect to your website via an insecure connection, i.e., HTTP.

Let’s look at those settings at the bottom of our settings.py file and create some variables.

The SECURE_HSTS_SECONDS stores a really big number (below is for one year). We need to put that information in the initial request and subsequent requests for that matter to the client, and the browser will respect that.

For the next year, we cannot connect to your website via an insecure connection, so that is a good thing.

We want to set SECURE_HSTS_PRELOAD and SECURE_HSTS_INCLUDE_SUBDOMAINS to True because even if you do not have subdomains, they are good to include in that request header.

SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_PRELOAD = True
SECURE_HSTS_INCLUDE_SUBDOMAINS = True

Moving along, we want to ensure that our domain name is specified in the allowed host settings. Again, we will be working in the settings.py file and find the variable ALLOWED_HOSTS (you might already have this specified here, this is just a list of domain names).

The hostnames allowed to serve or connect to this server are your Django server; as we are working with the example.domains, we specify the domain name and the www.example.domains version of that.

ALLOWED_HOSTS = ["example.domains", "www.example.domains"]

Next, we need to ensure that we turn off debugging in production. We will show you the differences between debugging equal True and False.

Set the settings.py file first to ensure that DEBUG is set to False. It is True when you start your Django project by default.

In our web browser, if we go to a page and debug to False, if that page does not exist, we will see a user-friendly error. You know it is better than what it looks like when DEBUG equals True.

DEBUG = False

Moving along, we need to ensure that we copy our static files into our static root directory. We mean images, CSS, JavaScript, and any non-HTML PHP files on our Django server when we say static files.

By default, our settings.py file has a static URL at that address; we want to add a static root. Our case is just at the base directory of our project '/static/'.

Django has a very convenient function that we can execute to copy those files into that static directory using the following command.

python manage.py collectstatic

Lastly, we need to run Django automated deployment checklist. This is a convenient function that Django provides for us.

Inside the root of our project directory, we need to type the code below.

python manage.py check --deploy

So if you have been following along, you should see no issues at this point. Before running this, you might see something that shows you the individual issues you need to fix before deployment.