Django is secure by default — if you configure production correctly. These are the settings that matter most.
1. Turn off DEBUG
DEBUG = False
Leaving DEBUG on in production leaks stack traces, settings and SQL to visitors. This is the single most important setting.
2. Set ALLOWED_HOSTS
ALLOWED_HOSTS = ["example.com", "www.example.com"]
3. Keep secrets out of code
Load SECRET_KEY, database passwords and API keys from environment variables, never hard-coded in settings or committed to git:
import os
SECRET_KEY = os.environ["DJANGO_SECRET_KEY"]
4. Enforce HTTPS
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_HSTS_SECONDS = 31536000
5. Run the deploy check
python manage.py check --deploy
Django will flag insecure settings for you. Fix each warning, keep the framework and dependencies updated, and your Django site will be well protected.