Django is secure by default — if you configure production correctly. These are the settings that matter most.

1. Turn off DEBUG

DEBUG = False

Leaving DEBUG on in production leaks stack traces, settings and SQL to visitors. This is the single most important setting.

2. Set ALLOWED_HOSTS

ALLOWED_HOSTS = ["example.com", "www.example.com"]

3. Keep secrets out of code

Load SECRET_KEY, database passwords and API keys from environment variables, never hard-coded in settings or committed to git:

import os
SECRET_KEY = os.environ["DJANGO_SECRET_KEY"]

4. Enforce HTTPS

SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_HSTS_SECONDS = 31536000

5. Run the deploy check

python manage.py check --deploy

Django will flag insecure settings for you. Fix each warning, keep the framework and dependencies updated, and your Django site will be well protected.