1 article with this tag
Django is 'batteries included' with safe defaults (ORM, CSRF, template auto-escaping, auth) and is solid configured correctly. But incidents come from settings. The big three: (1) DEBUG=True in production exposing settings, env vars, and secrets on the error page, (2) a leaked SECRET_KEY (the basis for signing/sessions), (3) thin authorization (missing is_staff/permission checks). Plus SQLi via raw()/extra() or string interpolation, unsafe deserialization (pickle), unset ALLOWED_HOSTS, and dependency (pip) CVEs. Defenses: DEBUG=False in prod, SECRET_KEY from the environment, explicit authorization.