Security is not an afterthought but is instead integral to the way you write applications. However, being human, it is handy to have a checklist to remind you of the common omissions.
The following points are a bare minimum of security checks that you should perform before making your Django application public:
- Don't trust data from a browser, API, or any outside sources: This is a fundamental rule. Make sure that you validate and sanitize any outside data.
- Don't keep SECRET_KEY in version control: As a best practice, pick SECRET_KEY from the environment. Check out the django-environ package.
- Don't store passwords in plain text: Store your application password hashes instead. Add a random salt as well.
- Don't log any sensitive data: Filter out the confidential data, such as credit card details or API keys, before recording them...