I have just created a new project and Django identified 6 security issues in it.

→ python manage.py check --deploy

System check identified some issues:

WARNINGS:

?: (security.W001) You do not have 'django.middleware.security.SecurityMiddleware' in your MIDDLEWARE_CLASSES so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER, and SECURE_SSL_REDIRECT settings will have no effect.?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.

?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.

?: (security.W017) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE_CLASSES, but you have not set CSRF_COOKIE_HTTPONLY to True. Using an HttpOnly CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token.

?: (security.W018) You should not have DEBUG set to True in deployment.

?: (security.W019) You have 'django.middleware.clickjacking.XFrameOptionsMiddleware' in your MIDDLEWARE_CLASSES, but X_FRAME_OPTIONS is not set to 'DENY'. The default is 'SAMEORIGIN', but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'.



System check identified 6 issues (0 silenced).

→ python manage.py is_it_ready

--------------------

Production ready: No

--------------------

Possible errors:

* Enter valid email address in ADMINS section

* Enter valid email address in MANAGERS section

* Template 404.html does not exist

* Template 500.html does not exist

* Setup E-mail host

* Set a valid email for SERVER_EMAIL

* Set a valid email for DEFAULT_FROM_EMAIL

* You have one or more ipdb import statements

* You have one or more print statements



This comes in handy to quickly make sure a lot of issues are taken care and the app is ready for deployment!

However this doesn't identify issues like absence of 404.html, 500.html templates, email setup, admin emails, presence of print, pdb statements. There is a Django package called django-production-ready which checks for these issues.To the new project just created, I have added a new file, which has a print & pdb statements. I have installed django-production ready, addedto installed apps and ranmanagement command which produced a neat log of all issues.