Django deployment checklist

Deploying your Django application exposes it to internet hostility. Therefore, one needs to configure the settings with performance, security, and operation in mind. Django comes with many security features, and some of them are enabled by default. 

What are the settings required by you to adjust in order to maximize the full potential and security Django provides in production? That is what this post will answer. 


The database for your production database needs to be set. The database connection parameters in development are different in production. The secret key of your database should be protected, and it is advisable to set up a backup for your database. 

Secret Key:

The SECRET_KEY of your Django application needs to be guided jealously. The secret key is usually a large random value. The key used in production shouldn't be showcased in any source or version control system like GitHub. Normally, I load my SECRET_KEY from an environment variable. 

import os


By default, Debug is set to True in Django. In production, it must never be set to True. In development, Debug = True enables many features that makes debugging easier. It gives you a traceback error for your project. Enabling this feature displays a detailed error page for your projects, and this makes your Django application vulnerable in production because it exposes so much information about your web application. Moreover setting your Debug to True disables many features in production and invariably improves performance. 

Static Files:

The STATIC_ROOT and STATIC_URL must be defined in production. STATIC_ROOT is the absolute path where collectstatic will collect static files for deployment. The STATIC_URL is the URL to use when referring to static files located in the  STATIC_ROOT

Media Files:

This has a similar setup as the static files. The MEDIA_ROOT and  MEDIA_URL should be set up. Media files are uploaded by the user. Therefore, not all media files should be interpreted by the web server. 

Allowed Host:

Set the ALLOWED_HOST to the list of domain names the Django site can serve. 

Email :

Irrespective of whether your site sends emails, it is advisable to set up this functionality for it to send you messages on internal server errors. The related settings include EMAIL_PORT, EMAIL_HOST, EMAIL_HOST_PASSWORD, DEFAULT_FROM_EMAIL, and SERVER_EMAIL.  

Other relevant setups are CACHES, LOGGING, EMAIL_BACKEND, ADMINS, and MANAGER.