Install
Terminal · npx
$npx skills add https://github.com/affaan-m/everything-claude-code --skill django-security
Works with Paperclip
How Django Security fits into a Paperclip company.

Django Security drops into any Paperclip agent that handles this kind of work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.
SaaS FactoryPaired
Pre-configured AI company — 18 agents, 18 skills, one-time purchase.
$27$59
Explore pack
Source file
SKILL.md593 linesmarkdown
Expand
1---2name: django-security3description: Django security best practices, authentication, authorization, CSRF protection, SQL injection prevention, XSS prevention, and secure deployment configurations.4origin: ECC5---6 7# Django Security Best Practices8 9Comprehensive security guidelines for Django applications to protect against common vulnerabilities.10 11## When to Activate12 13- Setting up Django authentication and authorization14- Implementing user permissions and roles15- Configuring production security settings16- Reviewing Django application for security issues17- Deploying Django applications to production18 19## Core Security Settings20 21### Production Settings Configuration22 23```python24# settings/production.py25import os26 27DEBUG = False  # CRITICAL: Never use True in production28 29ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', '').split(',')30 31# Security headers32SECURE_SSL_REDIRECT = True33SESSION_COOKIE_SECURE = True34CSRF_COOKIE_SECURE = True35SECURE_HSTS_SECONDS = 31536000  # 1 year36SECURE_HSTS_INCLUDE_SUBDOMAINS = True37SECURE_HSTS_PRELOAD = True38SECURE_CONTENT_TYPE_NOSNIFF = True39SECURE_BROWSER_XSS_FILTER = True40X_FRAME_OPTIONS = 'DENY'41 42# HTTPS and Cookies43SESSION_COOKIE_HTTPONLY = True44CSRF_COOKIE_HTTPONLY = True45SESSION_COOKIE_SAMESITE = 'Lax'46CSRF_COOKIE_SAMESITE = 'Lax'47 48# Secret key (must be set via environment variable)49SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY')50if not SECRET_KEY:51    raise ImproperlyConfigured('DJANGO_SECRET_KEY environment variable is required')52 53# Password validation54AUTH_PASSWORD_VALIDATORS = [55    {56        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',57    },58    {59        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',60        'OPTIONS': {61            'min_length': 12,62        }63    },64    {65        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',66    },67    {68        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',69    },70]71```72 73## Authentication74 75### Custom User Model76 77```python78# apps/users/models.py79from django.contrib.auth.models import AbstractUser80from django.db import models81 82class User(AbstractUser):83    """Custom user model for better security."""84 85    email = models.EmailField(unique=True)86    phone = models.CharField(max_length=20, blank=True)87 88    USERNAME_FIELD = 'email'  # Use email as username89    REQUIRED_FIELDS = ['username']90 91    class Meta:92        db_table = 'users'93        verbose_name = 'User'94        verbose_name_plural = 'Users'95 96    def __str__(self):97        return self.email98 99# settings/base.py100AUTH_USER_MODEL = 'users.User'101```102 103### Password Hashing104 105```python106# Django uses PBKDF2 by default. For stronger security:107PASSWORD_HASHERS = [108    'django.contrib.auth.hashers.Argon2PasswordHasher',109    'django.contrib.auth.hashers.PBKDF2PasswordHasher',110    'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',111    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',112]113```114 115### Session Management116 117```python118# Session configuration119SESSION_ENGINE = 'django.contrib.sessions.backends.cache'  # Or 'db'120SESSION_CACHE_ALIAS = 'default'121SESSION_COOKIE_AGE = 3600 * 24 * 7  # 1 week122SESSION_SAVE_EVERY_REQUEST = False123SESSION_EXPIRE_AT_BROWSER_CLOSE = False  # Better UX, but less secure124```125 126## Authorization127 128### Permissions129 130```python131# models.py132from django.db import models133from django.contrib.auth.models import Permission134 135class Post(models.Model):136    title = models.CharField(max_length=200)137    content = models.TextField()138    author = models.ForeignKey(User, on_delete=models.CASCADE)139 140    class Meta:141        permissions = [142            ('can_publish', 'Can publish posts'),143            ('can_edit_others', 'Can edit posts of others'),144        ]145 146    def user_can_edit(self, user):147        """Check if user can edit this post."""148        return self.author == user or user.has_perm('app.can_edit_others')149 150# views.py151from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin152from django.views.generic import UpdateView153 154class PostUpdateView(LoginRequiredMixin, PermissionRequiredMixin, UpdateView):155    model = Post156    permission_required = 'app.can_edit_others'157    raise_exception = True  # Return 403 instead of redirect158 159    def get_queryset(self):160        """Only allow users to edit their own posts."""161        return Post.objects.filter(author=self.request.user)162```163 164### Custom Permissions165 166```python167# permissions.py168from rest_framework import permissions169 170class IsOwnerOrReadOnly(permissions.BasePermission):171    """Allow only owners to edit objects."""172 173    def has_object_permission(self, request, view, obj):174        # Read permissions allowed for any request175        if request.method in permissions.SAFE_METHODS:176            return True177 178        # Write permissions only for owner179        return obj.author == request.user180 181class IsAdminOrReadOnly(permissions.BasePermission):182    """Allow admins to do anything, others read-only."""183 184    def has_permission(self, request, view):185        if request.method in permissions.SAFE_METHODS:186            return True187        return request.user and request.user.is_staff188 189class IsVerifiedUser(permissions.BasePermission):190    """Allow only verified users."""191 192    def has_permission(self, request, view):193        return request.user and request.user.is_authenticated and request.user.is_verified194```195 196### Role-Based Access Control (RBAC)197 198```python199# models.py200from django.contrib.auth.models import AbstractUser, Group201 202class User(AbstractUser):203    ROLE_CHOICES = [204        ('admin', 'Administrator'),205        ('moderator', 'Moderator'),206        ('user', 'Regular User'),207    ]208    role = models.CharField(max_length=20, choices=ROLE_CHOICES, default='user')209 210    def is_admin(self):211        return self.role == 'admin' or self.is_superuser212 213    def is_moderator(self):214        return self.role in ['admin', 'moderator']215 216# Mixins217class AdminRequiredMixin:218    """Mixin to require admin role."""219 220    def dispatch(self, request, *args, **kwargs):221        if not request.user.is_authenticated or not request.user.is_admin():222            from django.core.exceptions import PermissionDenied223            raise PermissionDenied224        return super().dispatch(request, *args, **kwargs)225```226 227## SQL Injection Prevention228 229### Django ORM Protection230 231```python232# GOOD: Django ORM automatically escapes parameters233def get_user(username):234    return User.objects.get(username=username)  # Safe235 236# GOOD: Using parameters with raw()237def search_users(query):238    return User.objects.raw('SELECT * FROM users WHERE username = %s', [query])239 240# BAD: Never directly interpolate user input241def get_user_bad(username):242    return User.objects.raw(f'SELECT * FROM users WHERE username = {username}')  # VULNERABLE!243 244# GOOD: Using filter with proper escaping245def get_users_by_email(email):246    return User.objects.filter(email__iexact=email)  # Safe247 248# GOOD: Using Q objects for complex queries249from django.db.models import Q250def search_users_complex(query):251    return User.objects.filter(252        Q(username__icontains=query) |253        Q(email__icontains=query)254    )  # Safe255```256 257### Extra Security with raw()258 259```python260# If you must use raw SQL, always use parameters261User.objects.raw(262    'SELECT * FROM users WHERE email = %s AND status = %s',263    [user_input_email, status]264)265```266 267## XSS Prevention268 269### Template Escaping270 271```django272{# Django auto-escapes variables by default - SAFE #}273{{ user_input }}  {# Escaped HTML #}274 275{# Explicitly mark safe only for trusted content #}276{{ trusted_html|safe }}  {# Not escaped #}277 278{# Use template filters for safe HTML #}279{{ user_input|escape }}  {# Same as default #}280{{ user_input|striptags }}  {# Remove all HTML tags #}281 282{# JavaScript escaping #}283<script>284    var username = {{ username|escapejs }};285</script>286```287 288### Safe String Handling289 290```python291from django.utils.safestring import mark_safe292from django.utils.html import escape293 294# BAD: Never mark user input as safe without escaping295def render_bad(user_input):296    return mark_safe(user_input)  # VULNERABLE!297 298# GOOD: Escape first, then mark safe299def render_good(user_input):300    return mark_safe(escape(user_input))301 302# GOOD: Use format_html for HTML with variables303from django.utils.html import format_html304 305def greet_user(username):306    return format_html('<span class="user">{}</span>', escape(username))307```308 309### HTTP Headers310 311```python312# settings.py313SECURE_CONTENT_TYPE_NOSNIFF = True  # Prevent MIME sniffing314SECURE_BROWSER_XSS_FILTER = True  # Enable XSS filter315X_FRAME_OPTIONS = 'DENY'  # Prevent clickjacking316 317# Custom middleware318from django.conf import settings319 320class SecurityHeaderMiddleware:321    def __init__(self, get_response):322        self.get_response = get_response323 324    def __call__(self, request):325        response = self.get_response(request)326        response['X-Content-Type-Options'] = 'nosniff'327        response['X-Frame-Options'] = 'DENY'328        response['X-XSS-Protection'] = '1; mode=block'329        response['Content-Security-Policy'] = "default-src 'self'"330        return response331```332 333## CSRF Protection334 335### Default CSRF Protection336 337```python338# settings.py - CSRF is enabled by default339CSRF_COOKIE_SECURE = True  # Only send over HTTPS340CSRF_COOKIE_HTTPONLY = True  # Prevent JavaScript access341CSRF_COOKIE_SAMESITE = 'Lax'  # Prevent CSRF in some cases342CSRF_TRUSTED_ORIGINS = ['https://example.com']  # Trusted domains343 344# Template usage345<form method="post">346    {% csrf_token %}347    {{ form.as_p }}348    <button type="submit">Submit</button>349</form>350 351# AJAX requests352function getCookie(name) {353    let cookieValue = null;354    if (document.cookie && document.cookie !== '') {355        const cookies = document.cookie.split(';');356        for (let i = 0; i < cookies.length; i++) {357            const cookie = cookies[i].trim();358            if (cookie.substring(0, name.length + 1) === (name + '=')) {359                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));360                break;361            }362        }363    }364    return cookieValue;365}366 367fetch('/api/endpoint/', {368    method: 'POST',369    headers: {370        'X-CSRFToken': getCookie('csrftoken'),371        'Content-Type': 'application/json',372    },373    body: JSON.stringify(data)374});375```376 377### Exempting Views (Use Carefully)378 379```python380from django.views.decorators.csrf import csrf_exempt381 382@csrf_exempt  # Only use when absolutely necessary!383def webhook_view(request):384    # Webhook from external service385    pass386```387 388## File Upload Security389 390### File Validation391 392```python393import os394from django.core.exceptions import ValidationError395 396def validate_file_extension(value):397    """Validate file extension."""398    ext = os.path.splitext(value.name)[1]399    valid_extensions = ['.jpg', '.jpeg', '.png', '.gif', '.pdf']400    if not ext.lower() in valid_extensions:401        raise ValidationError('Unsupported file extension.')402 403def validate_file_size(value):404    """Validate file size (max 5MB)."""405    filesize = value.size406    if filesize > 5 * 1024 * 1024:407        raise ValidationError('File too large. Max size is 5MB.')408 409# models.py410class Document(models.Model):411    file = models.FileField(412        upload_to='documents/',413        validators=[validate_file_extension, validate_file_size]414    )415```416 417### Secure File Storage418 419```python420# settings.py421MEDIA_ROOT = '/var/www/media/'422MEDIA_URL = '/media/'423 424# Use a separate domain for media in production425MEDIA_DOMAIN = 'https://media.example.com'426 427# Don't serve user uploads directly428# Use whitenoise or a CDN for static files429# Use a separate server or S3 for media files430```431 432## API Security433 434### Rate Limiting435 436```python437# settings.py438REST_FRAMEWORK = {439    'DEFAULT_THROTTLE_CLASSES': [440        'rest_framework.throttling.AnonRateThrottle',441        'rest_framework.throttling.UserRateThrottle'442    ],443    'DEFAULT_THROTTLE_RATES': {444        'anon': '100/day',445        'user': '1000/day',446        'upload': '10/hour',447    }448}449 450# Custom throttle451from rest_framework.throttling import UserRateThrottle452 453class BurstRateThrottle(UserRateThrottle):454    scope = 'burst'455    rate = '60/min'456 457class SustainedRateThrottle(UserRateThrottle):458    scope = 'sustained'459    rate = '1000/day'460```461 462### Authentication for APIs463 464```python465# settings.py466REST_FRAMEWORK = {467    'DEFAULT_AUTHENTICATION_CLASSES': [468        'rest_framework.authentication.TokenAuthentication',469        'rest_framework.authentication.SessionAuthentication',470        'rest_framework_simplejwt.authentication.JWTAuthentication',471    ],472    'DEFAULT_PERMISSION_CLASSES': [473        'rest_framework.permissions.IsAuthenticated',474    ],475}476 477# views.py478from rest_framework.decorators import api_view, permission_classes479from rest_framework.permissions import IsAuthenticated480 481@api_view(['GET', 'POST'])482@permission_classes([IsAuthenticated])483def protected_view(request):484    return Response({'message': 'You are authenticated'})485```486 487## Security Headers488 489### Content Security Policy490 491```python492# settings.py493CSP_DEFAULT_SRC = "'self'"494CSP_SCRIPT_SRC = "'self' https://cdn.example.com"495CSP_STYLE_SRC = "'self' 'unsafe-inline'"496CSP_IMG_SRC = "'self' data: https:"497CSP_CONNECT_SRC = "'self' https://api.example.com"498 499# Middleware500class CSPMiddleware:501    def __init__(self, get_response):502        self.get_response = get_response503 504    def __call__(self, request):505        response = self.get_response(request)506        response['Content-Security-Policy'] = (507            f"default-src {CSP_DEFAULT_SRC}; "508            f"script-src {CSP_SCRIPT_SRC}; "509            f"style-src {CSP_STYLE_SRC}; "510            f"img-src {CSP_IMG_SRC}; "511            f"connect-src {CSP_CONNECT_SRC}"512        )513        return response514```515 516## Environment Variables517 518### Managing Secrets519 520```python521# Use python-decouple or django-environ522import environ523 524env = environ.Env(525    # set casting, default value526    DEBUG=(bool, False)527)528 529# reading .env file530environ.Env.read_env()531 532SECRET_KEY = env('DJANGO_SECRET_KEY')533DATABASE_URL = env('DATABASE_URL')534ALLOWED_HOSTS = env.list('ALLOWED_HOSTS')535 536# .env file (never commit this)537DEBUG=False538SECRET_KEY=your-secret-key-here539DATABASE_URL=postgresql://user:password@localhost:5432/dbname540ALLOWED_HOSTS=example.com,www.example.com541```542 543## Logging Security Events544 545```python546# settings.py547LOGGING = {548    'version': 1,549    'disable_existing_loggers': False,550    'handlers': {551        'file': {552            'level': 'WARNING',553            'class': 'logging.FileHandler',554            'filename': '/var/log/django/security.log',555        },556        'console': {557            'level': 'INFO',558            'class': 'logging.StreamHandler',559        },560    },561    'loggers': {562        'django.security': {563            'handlers': ['file', 'console'],564            'level': 'WARNING',565            'propagate': True,566        },567        'django.request': {568            'handlers': ['file'],569            'level': 'ERROR',570            'propagate': False,571        },572    },573}574```575 576## Quick Security Checklist577 578| Check | Description |579|-------|-------------|580| `DEBUG = False` | Never run with DEBUG in production |581| HTTPS only | Force SSL, secure cookies |582| Strong secrets | Use environment variables for SECRET_KEY |583| Password validation | Enable all password validators |584| CSRF protection | Enabled by default, don't disable |585| XSS prevention | Django auto-escapes, don't use `&#124;safe` with user input |586| SQL injection | Use ORM, never concatenate strings in queries |587| File uploads | Validate file type and size |588| Rate limiting | Throttle API endpoints |589| Security headers | CSP, X-Frame-Options, HSTS |590| Logging | Log security events |591| Updates | Keep Django and dependencies updated |592 593Remember: Security is a process, not a product. Regularly review and update your security practices.
Related skills
Agent Eval

Install Agent Eval skill for Claude Code from affaan-m/everything-claude-code.
Agent Harness Construction

Install Agent Harness Construction skill for Claude Code from affaan-m/everything-claude-code.
Agent Payment X402

Install Agent Payment X402 skill for Claude Code from affaan-m/everything-claude-code.