Skip to content
unfault

python.django.secure_settings

Security High

Detects missing Django security settings for production.

Why It Matters

Section titled “Why It Matters”

Missing security settings:

  • XSS attacks — No browser XSS filter
  • Clickjacking — Site can be embedded in iframes
  • Data leakage — Sensitive headers exposed

Example

Section titled “Example”
# ❌ Before (missing security settings)
DEBUG = True  # In production!
SECRET_KEY = 'hardcoded-key'
# ✅ After (proper security settings)
import os


DEBUG = False
SECRET_KEY = os.environ['DJANGO_SECRET_KEY']


SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
X_FRAME_OPTIONS = 'DENY'
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_SSL_REDIRECT = True

What Unfault Detects

Section titled “What Unfault Detects”
  • DEBUG = True in production
  • Hardcoded SECRET_KEY
  • Missing security headers
Section titled “Related Rules”