An overview of Django’s security features

In this article, I’ll be covering various powerful security features that Django provides without any external configuration or third party integration.

This article will be strictly in sync with the official Django Documentation and the features mentioned there, I will be explaining the same in a simple, detailed and comprehensive manner.

Cross-site scripting (XSS) protection

XSS (Cross-Site Scripting) attacks are injection attacks that inject malicious scripts into trusted websites. XSS attacks occur when an attacker uses a web application to transfer malicious code to another end-user, usually in the form of a browser side script.

Using Django templates protects you from the majority of XSS attacks. However, there are some limitations, so it is important to understand what protections it provides.

Cross-site request forgery (CSRF) protection

One-click attack or session riding, also known as Cross-site request forgery, abbreviated as CSRF or XSRF, is a malicious website hack in which unapproved commands are sent by a user who the web application trusts.

Django comes with built-in security against most forms of cross-site request forgery attacks, as long as you allow it and use it appropriately.

CSRF protection works by checking for a secret in each POST request. This ensures that a malicious user cannot “replay” a form POST to your website and have an extra logged in user unconsciously submit that form.

SQL injection protection

SQL injection is a web security vulnerability that enables an attacker to interfere with the queries that an application makes to its database. An attacker can exercise control over the database and in many cases have access to view, modify and delete user’s data.

Django’s querysets are protected from SQL injection since their queries are constructed using query parameterization. A query’s SQL code is defined independently from the query’s parameters. Since parameters may be user-provided and therefore unreliable, they are escaped by the database driver.

Django also gives developers the ability to write raw queries or execute custom sql. These capabilities should be used sparingly and you should always be mindful to properly escape any parameters that the user can control.

Clickjacking protection

Clickjacking is a malicious technique of outwitting a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their system while clicking on innocuous objects, including various web pages.

Django contains clickjacking protection in the form of the X-Frame-Options middleware which is a supporting browser that can prevent a site from being rendered inside a frame. It is possible to turn off the protection on a per-view basis or to set the header value sent.

Host header validation

The HTTP Host header is a necessary request header as of HTTP/1.1. It specifies the domain name that the client wants to access.

Django verifies Host headers upon the ALLOWED_HOSTS setting in the django.http.HttpRequest.get_host() method.


There are some of the additional security topics that Django involves. Some of them are listed below:

  • Referrer-Policy
  • Session Security


In this short, to the point article, we have discussed some of the most popular security features that Django comes with. There is always a scope for improvement and advancement in the current features, but I hope you feel confident delving in and playing around with a wide range of powerful utilities yourself now.

Feel free to reach out to me anytime, I would be pleased if you send your feedback.

Thanks a lot for reading till the end. You can reach out to me in case if you need any assistance:




JP Morgan Chase & Co | Google DSC LEAD | Microsoft Student Partner | Web developer | Technical Writer | TheProgrammedEnthusiast |

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhishek Srivastava

JP Morgan Chase & Co | Google DSC LEAD | Microsoft Student Partner | Web developer | Technical Writer | TheProgrammedEnthusiast |