28SECRET_KEY = "django-insecure-=u1k=mf8%hzi*no3t1^)=c7mx%mmg)*$=cx(6r2cq-nx^)k_cl"
29
30# SECURITY WARNING: don't run with debug turned on in production!
31DEBUG = True 32
33ALLOWED_HOSTS = []
34
Running a Django application with debug mode enabled may allow an attacker to gain access to sensitive information. Ensure that Django applications that are run in a production environment have DEBUG
set to False
.
Debug mode helps developers to find bugs by providing information about the system and the users. The information may be security-sensitive. If enabled in a production environment, this information can help attackers know about the underlying tools, application settings, and so on.
It is recommended to configure another file (say, development_settings.py
) in order to configure development-specific settings. Another recommended way is to read these values from environment variables.
Not Preferred:
import django
from django.conf import settings
settings.configure(DEBUG=True) # Sensitive
settings.configure(DEBUG_PROPAGATE_EXCEPTIONS=True) # Sensitive
def some_config(config):
settings.configure(default_settings=config, DEBUG=True) # Sensitive
Django's "settings.py" or "global_settings.py" configuration file
DEBUG = True # Sensitive
DEBUG_PROPAGATE_EXCEPTIONS = True # Sensitive
Issue is raised for this case only if the file is named "settings.py" or "global_settings.py", the default names for Django configuration file.