Skip to content

Security & Configuration

Security Architecture Snapshot

flowchart LR
    Request["Incoming Request"] --> Security["Security Middleware Layer"]
    Security --> Auth["Auth and MFA Enforcement"]
    Auth --> Policy["CSP and Browser Policy Headers"]
    Policy --> App["Domain App Execution"]

Configuration Layers

  1. compose wiring
  2. environment variables (.env)
  3. Django settings and middleware
  4. deploy ingress behavior

Critical Variables

# secret and host controls
DJANGO_SECRET_KEY
DJANGO_ALLOWED_HOSTS

# database
DB_HOST DB_PORT DB_NAME DB_USER DB_PASS

# async
CELERY_BROKER_URL CELERY_RESULT_BACKEND

Implemented Security Controls

  • secure defaults outside debug mode
  • secure cookie + HTTPS redirect options
  • CSRF trusted origins
  • HSTS, frame/referrer protections
  • content security policy and permissions policy headers
  • login-required and MFA-required middleware
  • auth endpoint rate limiting

Production hardening

Confirm secure cookie, redirect, HSTS, and trusted-origin settings are explicitly set for production deployments.

Release-time security checks
  • verify no secrets in repo
  • verify host/CSRF ingress alignment
  • verify auth and MFA user flows
  • verify policy headers in live responses