Lucky you, you user of the web framework for perfectionists with deadlines (AKA Django). The Django team has put a lot of thought into their security practice. I have summarized some of the best tips to keep your Django project secure. See all ten tips here
Django provides a lot of security features baked in, but the authentication system does not inherently protect against brute force attacks. A malicious actor could hit your system with numerous login attempts, and potentially get in.
If this kind of attack is of concern for your project, use a project like Django Defender to lock out users after too many login attempts.
Protecting your source code may seem to be an obvious step, but it is a multi-faceted step and is, therefore, worth exploring. One way to protect your source code is to make sure that it is not included in your web server’s root directory. If it is, there is a possibility that it is served or that, part of it, is executed in a way that you had not planned.
And although it goes without saying, if your project is sensitive, be sure to use a private repository on GitHub, Bitbucket, or Gitlab. Also, make sure to never check your secrets into your version control system, regardless of whether you intend to use a private repo. It is possible that a private repository does not always stay private and someone with access to a private repo cannot always be trusted.
While it is tempting to write raw sql queries and custom SQL, doing so may open the door for an attack. Django’s object-relational-mapping (ORM) framework is designed to make querying your database easy. Querysets are constructed using query paramatization. The query's parameters have been abstracted away from the query's sql code. A user attempting to perform a sql injection (execute arbitrary sql on a database) is going to find it much harder if you always use the ORM.
Django does allow the use of raw queries, but their use is not recommended. If you do use them, take extra care to properly escape any parameters. If you find the Django ORM to be insufficient for your needs, it is possible to use a different ORM within Django. SQLAlchemy is an example of an ORM that can be used with Django. If there is an ORM that better suits your project, making use of it is preferable to writing large amounts of raw sql.
Every security step you take is a step in the right direction. Django may be for perfectionists with deadlines, but code doesn’t have to be perfect to reap security benefits. Implementing the concepts discussed above, to the best of your ability, can dramatically improve the security of your code and result in a healthier, more resilient project. Happy coding, Pythonistas!