Django has excellent security defaults including CSRF protection, SQL injection prevention through the ORM, XSS protection in templates and clickjacking protection. However, developers frequently override these defaults by using raw SQL queries, disabling CSRF middleware, exposing the admin panel publicly and leaving DEBUG=True in production. Sherlock Forensics audits your Django application to verify that default protections remain intact and custom code does not introduce new vulnerabilities.

Should I disable the Django admin in production?

The Django admin should either be disabled in production or restricted to specific IP addresses behind a VPN or additional authentication layer. The default /admin/ path is well known and constantly targeted by automated scanners. If you need the admin in production, change the URL path, add IP allowlisting, implement two-factor authentication and monitor for brute force attempts. Sherlock Forensics tests admin panel security as part of every Django audit.

What Python web app vulnerabilities exist?

Python web applications are vulnerable to ORM injection through raw queries, server-side template injection, insecure deserialization (pickle), SSRF through request libraries, path traversal in file operations, command injection through subprocess calls, XML external entity attacks and dependency vulnerabilities in pip packages. Django-specific risks include admin panel exposure, SECRET_KEY compromise and middleware ordering issues.

How do I secure Django REST Framework?

Secure DRF by setting default authentication and permission classes globally rather than per-view. Use throttling to prevent abuse. Validate all input through serializers. Restrict querysets in viewsets to prevent unauthorized data access. Disable the browsable API in production. Use token rotation for JWT authentication. Implement object-level permissions for sensitive resources. Sherlock Forensics tests DRF APIs for authentication bypass, authorization flaws, serializer injection and data exposure.

Do Django apps need pentesting?

If your Django application handles user data, processes payments, stores sensitive information or runs in production with real customers, it needs a penetration test. Django's security defaults are strong but only protect against vulnerabilities the framework knows about. Custom code, third-party packages and deployment configuration introduce risks that require manual testing. Sherlock Forensics offers Django-specific audits from $1,500 CAD.

Django Security

Django Security Audit

Django has good defaults. Your code probably overrides them.

Sherlock Forensics provides Django security audits covering admin panel exposure (/admin/), DEBUG=True in production, CSRF middleware bypass, ORM injection through raw queries, template injection, SECRET_KEY exposure, clickjacking via missing X-Frame-Options and insecure file serving. Quick audits from $1,500 CAD. Standard penetration tests from $5,000 CAD.

Django is known for its "batteries included" approach to security. CSRF protection, SQL injection prevention, XSS escaping and clickjacking headers all come configured out of the box. The problem is that real-world applications override these defaults constantly. Raw SQL queries bypass the ORM. CSRF middleware gets disabled for API views. The admin panel sits on /admin/ accessible to the entire internet. DEBUG=True ships to production because someone forgot to change it. We audit Django applications to find where the defaults have been weakened and where custom code has introduced new attack surfaces.

Order a Quick Audit - $1,500 Scope a Full Pentest

What We Find

Django Vulnerabilities We Test For

01 - Admin

Admin Panel Exposure (/admin/)

Django's admin interface is a powerful tool that provides direct database access, user management and model manipulation. When accessible at the default /admin/ path without additional protection, it becomes a high-value target for brute force attacks, credential stuffing and privilege escalation. Automated scanners check /admin/ on every Django site they encounter. We test admin panel accessibility, authentication strength, URL predictability and whether additional protections like IP restrictions or multi-factor authentication are in place.

02 - Debug

DEBUG=True in Production

Django's debug mode generates detailed error pages that expose your settings module, installed applications, middleware stack, template directories, database configuration and full Python tracebacks. When DEBUG=True reaches production, any unhandled exception hands attackers a blueprint of your application architecture. This includes secret keys, database credentials and internal paths. We trigger error conditions across your application to verify debug mode is disabled and that custom error handlers do not leak sensitive information.

03 - CSRF

CSRF Middleware Bypass

Django's CsrfViewMiddleware protects against cross-site request forgery by default, but developers routinely disable it with @csrf_exempt decorators on API views, webhook endpoints and AJAX handlers. When CSRF protection is removed from state-changing views, attackers can forge requests from malicious sites that execute actions with the victim's authenticated session. We identify all views with CSRF exemptions, test them for forgeability and verify that alternative protections like token-based authentication are properly implemented.

04 - ORM

ORM Injection Through Raw Queries

Django's ORM prevents SQL injection when used correctly, but developers frequently bypass it with raw(), extra(), RawSQL() and cursor.execute() for complex queries. User input concatenated into these raw SQL expressions creates injection vulnerabilities that the ORM's parameter binding cannot prevent. We trace user input from request parameters through views, serializers and model managers to identify raw query usage that accepts unsanitized data, including through Django REST Framework filters and search backends.

05 - Template

Template Injection

Django's template engine auto-escapes HTML by default, but server-side template injection occurs when user input is used to construct template strings dynamically. If an attacker can control part of a template string passed to Template() or render_to_string(), they can execute arbitrary Python code on the server. The |safe filter and mark_safe() also disable auto-escaping, reintroducing XSS when applied to user-controlled data. We test for both server-side template injection and XSS through unsafe template usage.

06 - Secret

SECRET_KEY Exposure

Django's SECRET_KEY is used for cryptographic signing including session tokens, CSRF tokens, password reset links and signed cookies. If the SECRET_KEY is exposed through version control, DEBUG error pages, backup files or environment variable leaks, attackers can forge sessions, bypass CSRF protection, generate valid password reset links and impersonate any user. We check for SECRET_KEY exposure through multiple vectors and verify that key rotation procedures are in place.

07 - Framing

Clickjacking via Missing X-Frame-Options

Django includes XFrameOptionsMiddleware that sets X-Frame-Options to DENY by default, preventing your pages from being embedded in iframes on malicious sites. However, developers disable this middleware or use @xframe_options_exempt decorators to allow legitimate embedding, inadvertently enabling clickjacking attacks on sensitive pages. We test for missing or misconfigured framing protections, identify exempt views and verify that Content-Security-Policy frame-ancestors directives provide additional protection.

08 - Files

Insecure File Serving

Django's development server serves static and media files directly, but this functionality should never reach production. When MEDIA_ROOT or STATIC_ROOT are served without proper access controls, uploaded files become publicly accessible regardless of intended permissions. Uploaded Python files, configuration backups and user-submitted content may be served directly by the web server. We test file upload handling, media file access controls, path traversal in upload paths and whether Django's development file serving is exposed in production.

Our Approach

How We Audit Django Applications

URL Pattern and View Mapping

We enumerate every URL pattern in your Django application including urlpatterns, included app URLs, admin URLs and DRF router-registered endpoints. We map view functions to their middleware stacks, decorator chains and permission classes to identify which views lack authentication, CSRF protection or authorization checks. This gives us a complete map of your application's attack surface.

Settings and Configuration Review

We review your Django settings for security misconfigurations including DEBUG mode, ALLOWED_HOSTS, SECRET_KEY management, database credentials, CORS configuration, session settings, cookie flags, security middleware ordering and logging configuration. We verify that deployment settings differ appropriately from development defaults and that sensitive values are loaded from environment variables rather than hardcoded in settings files.

Model and Query Analysis

We review model definitions for sensitive data handling, inspect query patterns for raw SQL usage and test ORM filters for injection through lookup expressions. We verify that model-level permissions are enforced consistently and that querysets are properly scoped to prevent unauthorized data access through API endpoints and admin views.

DRF and API Testing

For Django REST Framework applications, we test authentication backends, permission classes, throttling configuration, serializer validation, viewset queryset scoping, filter backends and the browsable API. We verify that object-level permissions are enforced, that nested serializers do not expose related data and that pagination does not allow full database enumeration.

Pricing

Django Security Engagements

Quick Audit - $1,500 CAD: Focused security review covering admin panel exposure, DEBUG mode, SECRET_KEY handling, CSRF configuration and common Django vulnerabilities. Ideal for early-stage applications and side projects going to production. Delivered in 3-5 business days. Order online.
Standard Penetration Test - $5,000 CAD: Full penetration test for production Django applications covering all eight vulnerability categories, ORM injection, template injection, DRF security, authentication and authorization across all endpoints. Order online.
Comprehensive Assessment - $12,000 CAD: Full-scope assessment including source code review, infrastructure testing, CI/CD pipeline review, server configuration audit, Celery/queue security and remediation support. For enterprise Django applications. Contact us to scope.

Frequently Asked Questions

Django Security FAQs

Is Django secure?: Django has some of the best security defaults of any web framework. CSRF protection, SQL injection prevention, XSS escaping and clickjacking headers are all enabled by default. However, these protections only work when developers do not override them. Raw SQL queries, csrf_exempt decorators, the |safe template filter and publicly accessible admin panels are common in production Django applications. A security audit verifies that your application has not weakened Django's built-in protections.
Should I disable the Django admin in production?: If you do not need the admin in production, disable it entirely by removing it from urlpatterns. If you need it, move it to a non-obvious URL path, restrict access by IP address, add two-factor authentication, implement account lockout after failed attempts and monitor access logs for suspicious activity. The default /admin/ path is targeted by every automated scanner on the internet.
What Python web app vulnerabilities exist?: Python web applications face ORM injection through raw queries, server-side template injection, insecure deserialization through pickle, SSRF through requests and urllib, path traversal in file operations, command injection through os.system and subprocess, XML external entity attacks and dependency vulnerabilities. Django-specific risks include admin exposure, SECRET_KEY compromise, middleware bypass and DRF misconfigurations.
How do I secure Django REST Framework?: Set default authentication and permission classes in your DRF settings rather than relying on per-view configuration. Use IsAuthenticated as the default permission class. Implement throttling to prevent API abuse. Validate all input through serializers with explicit field definitions. Scope querysets in viewsets to prevent unauthorized data access. Disable the browsable API in production. Use object-level permissions for sensitive resources.
Do Django apps need pentesting?: If your Django application handles user data, processes payments or serves paying customers, it needs a penetration test. Strong framework defaults do not protect against vulnerabilities in custom code, third-party packages or deployment configuration. Sherlock Forensics offers Django-specific security audits starting at $1,500 CAD with results delivered in 3-5 business days.

Get Started

Find out what your Django code actually exposes.

Quick audits from $1,500 CAD. Standard penetration tests from $5,000 CAD.

Order Online

Secure Your Django Application

Tell us about your Django stack, whether you use DRF, your deployment platform and your biggest security concerns. We will recommend the right assessment for your application.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada