7 Critical Django Production Server Settings to Configure Before Going Live

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone this is tony teaches tech i'm tony and in this video i'm going to show you how to take your django website and get it ready for public release now there are a few key settings that you need to configure here in order to have a secure website a website that's stable in a website that is user-friendly so let's go ahead and have a look all right guys right off the bat here i just want to show you what we're working with i have a website called micro domains it is at this url micro dot domains and i am ssh into that server and let's just have a look around here we have our basic django project infrastructure in the home directory of this user and we're going to be doing a lot of our changes inside of the project directory and then in there we have the settings.pi file so that brings us to our first configuration setting that we want to set and that is hiding the secret key so inside of your settings.pi follow we want to come down to this line where it says secret key equals some really really long string of characters numbers and symbols so what we're going to do instead of this as you can see by the comment here it's not secure for production we want to do something different we want to read the secret key from a file and we can do that with this line two lines of code actually what i'm going to do is copy my secret key get rid of that and then we're going to create a file called secret key in the root of our project directory to contain just the secret key itself so what this is doing is navigating to that path on our system opening the file and reading the secret key and assigning it to the variable secret underscore key the one other thing we have to do here is import os because we have that down below so import os up here and we're using it right down here so let's go ahead and save that file and in the root of our project directory which is here for me we want to create a file called secret key s-e-c-r-e-t underscore key dot text and then paste in your secret key we want to get rid of everything in here except the actual value of the secret key that includes the quotes at the beginning and the end and that's what we're going to be left with so that should take care of securing your secret key as far as django settings are concerned the next thing you want to do is to install an ssl certificate on your django website actually the video for you that you guys can check out up here i'll also have that linked at the end of the video and what this gives you is the lock icon in your browser so this is what you're going to end up with i have a valid certificate installed that was issued by let's encrypt and the really cool thing is that this is 100 free so definitely check out that tutorial for how to get an ssl certificate and enable https on your django website now that you have an ssl certificate installed on your website we need to add some additional https settings to our settings.pi file so open back up your settings.pi file come down to the bottom and we want to add these three variables session cookie secure equals true csrf cookie secure equals true and secure ssl redirect equals true so session cookie secure just make sure that your cookies are being served over https similar for csrf that your csrf cookies are being secured and served over https and then finally secure ssl redirect make sure that all of your traffic is being redirected from http to https next we want to similarly add some hsts settings to our settings.pi file and if you're not familiar hsts stands for http strict transport security and what that is is essentially adding some information to the header of your request which says that browsers should not and cannot connect to your website via an insecure connection ie http so let's go ahead and look at those settings down here at the bottom of our settings.pi file we have secure hsts seconds secure hsts preload and secure hsts include subdomains so the seconds is this really big number here is equal to one year so basically we're going to put that information in the initial request and subsequent requests for that matter to the client and there are not the browser is going to respect that and for the next year we're not going to be able to connect to your website via an insecure connection so that's a really good thing um the hsts preload equals true and they include subdomains equals true you want to set these both also to true because even if you don't have subdomains they're just a good thing to include in that request header moving right along we want to make sure that we have our domain name specified in the allowed host settings and again we're going to be working in the settings.pi file so down here find the variable allowed host and you might already have this specified in here this is just a list of domain names host names that are allowed to serve or connect to this server your django server and again like i said we're working with micro dot domains that's the domain name so i specified that here and the www version of that as well next up and this is a big one we want to make sure that we turn off debugging in production and i'm going to show you what the differences between debugging equals true and false you might already know this but let's go ahead and set the setting first inner settings.pi file just make sure you come down to the line that says debug equals set it from true to false by default it's true when you start your django project and back here in my web browser if i go to a page and debug equals false for me right now if i go to a page that doesn't exist we're going to see an error message that is user friendly ish you know it's better than what it looks like when debug equals true so before the video i just made this tab over here went to this page and you've probably seen this too this is what a page looks like when debug equals true you get all this extra information that the end user really doesn't care about so that's why you want to set off or turn off debugging in production moving right along we want to make sure that we copy our static files into our static root directory and basically when i say static files i just mean images css files javascript files any non-html php files on your django server so let me show you what i mean by this in your settings.pi file you by default have a static url at this address you want to add a static root which in my case is just at the base of my project static so what we do when we save this in our settings.pi file python or django actually has a very convenient function that you can execute to copy those files into that static directory we can do something like python manage.pi collect static and as you can see here there is no static directory right now because they haven't run this yet and when we execute this it created that directory home new dom's micro domain static so if we do an ls again we see our static directory and all of our static files are now copied in there all right guys last one here we want to run django's automated deployment checklist and again this is a convenience function that django provides for us so inside the root of your project directory we want to type something like python manage.pi check dash dash deploy and if you've been following along you should see no issues at this point before running this you might see something that looks like this which is showing you the individual issues that you need to fix before going to deployment but since we fixed those we are good to go guys if you have any questions about the content in this video or getting set up with django for production let me know in the comments below i have all these other videos about django and getting ready for production so check those out as well thank you guys for watching i'll see you in the next video

Info

Channel: Tony Teaches Tech

Views: 9,949

Rating: undefined out of 5

Keywords: django web server, python django production server, deploy django in production, django production and development settings, deploying django to production, django deployment, deploy django settings, django secret key in production, django secret key, django session cookie secure, django ssl redirect, django csrf cookie secure, django secure hsts, django security, django hsts header

Id: mAeK4Ia4fk8

Channel Id: undefined

Length: 8min 11sec (491 seconds)

Published: Fri Nov 06 2020