This article shows how to take your Django website, get it ready for public release, set
ALLOWED_HOSTS, and fix expected major issues during web deployment with Django.
Fix the Major Deployment Issues and Set
ALLOWED_HOSTS in Django
You need to configure a few key settings to have a secure website, a website that is stable in a user-friendly website. Let’s look at how to do it without getting an error.
Suppose we have a website called
example in this URL
example.domains, and we
ssh into that server. We have our basic Django project infrastructure in this user’s home directory.
So now we will be doing many of our changes inside the project directory, and then in there, we have the
settings.py file. That brings us to the first configuration setting that we want to set, hiding the
Follow inside your
SECRET_KEY equals some long string of characters, numbers and symbols, so what will we do with this file? As you can see by the comment (it’s not secure for production).
Now we want to do something different, we want to read the
SECRET_KEY from a file, and we can do that with the two lines of code below. We will copy our
SECRET_KEY in the
secret_key.txt file and then create a file called
secret_key.txt in the root of our project directory containing the secret key.
So it’s navigating to that path on our system, opening the file, reading the secret key, and assigning it to the variable
Let’s go ahead and save that file in the root of our project directory.
with open (os.path.join(BASE_DIR,'secret_key.txt')) as f: SECRET_KEY =f.read().strip()
We need to add some additional HTTPS settings to our
settings.py file, so open up your
settings.py file and scroll down to the bottom. We need to add these three variables and set them equal to
SESSION_COOKIES_SECURE makes sure that your cookies are being served over HTTP, similar to
CSRF_COOKIES_SECURE that your CSRF cookies are being secured and served over HTTPS. The third variable, called
SECURE_SSL_REDIRECT, ensures that all of your traffic is redirected from HTTP to HTTPS.
SESSION_COOKIES_SECURE =True CSRF_COOKIES_SECURE =True SECURE_SSL_REDIRECT =True
Next, we need to similarly add some HSTS settings to our
settings.py file. If you are not familiar with HSTS, it stands for HTTP strict transport security.
HSTS is essentially adding some information to the header of your request, which says that browsers should not and cannot connect to your website via an insecure connection, i.e., HTTP.
Let’s look at those settings at the bottom of our
settings.py file and create some variables.
SECURE_HSTS_SECONDS stores a really big number (below is for one year). We need to put that information in the initial request and subsequent requests for that matter to the client, and the browser will respect that.
For the next year, we cannot connect to your website via an insecure connection, so that is a good thing.
We want to set
True because even if you do not have subdomains, they are good to include in that request header.
SECURE_HSTS_SECONDS= 31536000 SECURE_HSTS_PRELOAD= True SECURE_HSTS_INCLUDE_SUBDOMAINS= True
Moving along, we want to ensure that our domain name is specified in the allowed host settings. Again, we will be working in the
settings.py file and find the variable
ALLOWED_HOSTS (you might already have this specified here, this is just a list of domain names).
The hostnames allowed to serve or connect to this server are your Django server; as we are working with the
example.domains, we specify the domain name and the
www.example.domains version of that.
ALLOWED_HOSTS = ["example.domains","www.example.domains"]
Next, we need to ensure that we turn off debugging in production. We will show you the differences between debugging equal
settings.py file first to ensure that
DEBUG is set to
False. It is
True when you start your Django project by default.
In our web browser, if we go to a page and debug to
False, if that page does not exist, we will see a user-friendly error. You know it is better than what it looks like when
DEBUG = False
By default, our
settings.py file has a static URL at that address; we want to add a static root. Our case is just at the base directory of our project
Django has a very convenient function that we can execute to copy those files into that static directory using the following command.
python manage.py collectstatic
Lastly, we need to run Django automated deployment checklist. This is a convenient function that Django provides for us.
Inside the root of our project directory, we need to type the code below.
python manage.py check --deploy
So if you have been following along, you should see no issues at this point. Before running this, you might see something that shows you the individual issues you need to fix before deployment.