Django ships with strong security defaults, but default isn't the same as secure. This checklist walks through the OWASP Top 10 and maps each risk to concrete Django settings and code patterns.
Injection: Always use Django's ORM rather than raw SQL. If you must write raw queries, use parameterised queries (cursor.execute(sql, params)) — never string-format user input into SQL.
XSS: Django's template engine auto-escapes HTML by default. Never use the |safe filter on untrusted data. Use Content Security Policy headers to block inline scripts.
CSRF: Django's CsrfViewMiddleware is enabled by default — keep it. For AJAX requests, send the CSRF token in the X-CSRFToken header.
Secret Management: Never commit secrets to version control. Use environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault). Rotate secrets regularly and audit access logs.
Dependencies: Run pip audit in your CI pipeline. Pin exact dependency versions in requirements.txt and update them in a controlled process, reviewing changelogs for security fixes.
Set SECURE_HSTS_SECONDS, SECURE_SSL_REDIRECT, SESSION_COOKIE_SECURE, and CSRF_COOKIE_SECURE in production. Use django-csp to configure Content Security Policy headers.