Harden production settings safety checks and docs

config/settings/base.py

@@ -1,8 +1,10 @@
 from pathlib import Path
+import logging
 import os
 from django.core.exceptions import ImproperlyConfigured
 
 BASE_DIR = Path(__file__).resolve().parent.parent.parent
+settings_logger = logging.getLogger("config.settings")
 
 
 def env_bool(key: str, default: bool = False) -> bool:
@@ -20,15 +22,39 @@ def env_list(key: str, default: str = "") -> list[str]:
 DJANGO_ENV = os.getenv("DJANGO_ENV", "development").strip().lower()
 SECRET_KEY = os.getenv("DJANGO_SECRET_KEY", "insecure-development-secret")
 DEBUG = env_bool("DJANGO_DEBUG", False)
+IS_DEVELOPMENT_ENV = DJANGO_ENV in {"development", "local", "dev"}
 ALLOWED_HOSTS = env_list("DJANGO_ALLOWED_HOSTS", "localhost,127.0.0.1")
 CSRF_TRUSTED_ORIGINS = env_list(
     "DJANGO_CSRF_TRUSTED_ORIGINS", "http://localhost,http://127.0.0.1"
 )
 
-if not DEBUG and SECRET_KEY in {"", "insecure-development-secret", "change-me-in-production"}:
-    raise ImproperlyConfigured("DJANGO_SECRET_KEY must be set to a strong value when DEBUG=0.")
+DEFAULT_SECRET_KEY_MARKERS = {"", "insecure-development-secret", "change-me-in-production"}
+
+
+def raise_config_error(message: str) -> None:
+    settings_logger.critical("Configuration error: %s", message)
+    raise ImproperlyConfigured(message)
+
+
+def is_secret_key_unsafe(secret_key: str) -> bool:
+    if secret_key in DEFAULT_SECRET_KEY_MARKERS:
+        return True
+    if len(secret_key) < 32:
+        return True
+    lower = secret_key.lower()
+    return "change-me" in lower or "insecure" in lower or "default" in lower
+
+
+if (not IS_DEVELOPMENT_ENV or not DEBUG) and is_secret_key_unsafe(SECRET_KEY):
+    raise_config_error(
+        "DJANGO_SECRET_KEY is unsafe. Set a strong, unique value for non-development environments."
+    )
+
 if not DEBUG and not ALLOWED_HOSTS:
-    raise ImproperlyConfigured("DJANGO_ALLOWED_HOSTS must not be empty when DEBUG=0.")
+    raise_config_error("DJANGO_ALLOWED_HOSTS must not be empty when DEBUG=0.")
+
+if not DEBUG and "*" in ALLOWED_HOSTS:
+    raise_config_error("DJANGO_ALLOWED_HOSTS must not contain '*' when DEBUG=0.")
 
 INSTALLED_APPS = [
     "django.contrib.admin",

config/settings/production.py

@@ -1,5 +1,6 @@
 from .base import *  # noqa: F403,F401
 import os
+from urllib.parse import urlparse
 from django.core.exceptions import ImproperlyConfigured
 
 DEBUG = False
@@ -20,8 +21,35 @@ SESSION_COOKIE_HTTPONLY = True
 SESSION_COOKIE_SAMESITE = os.getenv("DJANGO_SESSION_COOKIE_SAMESITE", "Lax")
 CSRF_COOKIE_SAMESITE = os.getenv("DJANGO_CSRF_COOKIE_SAMESITE", "Lax")
 
+def _is_local_host(hostname: str | None) -> bool:
+    return (hostname or "").lower() in {"localhost", "127.0.0.1", "::1", "0.0.0.0"}
+
+
+def _is_safe_csrf_origin(origin: str) -> bool:
+    parsed = urlparse(origin)
+    if parsed.scheme != "https":
+        return False
+    return not _is_local_host(parsed.hostname)
+
+
 if not CSRF_TRUSTED_ORIGINS:  # noqa: F405
-    raise ImproperlyConfigured("DJANGO_CSRF_TRUSTED_ORIGINS must be set for production.")
+    raise ImproperlyConfigured("DJANGO_CSRF_TRUSTED_ORIGINS must be explicitly set for production.")
+
+invalid_origins = [origin for origin in CSRF_TRUSTED_ORIGINS if not _is_safe_csrf_origin(origin)]  # noqa: F405
+if invalid_origins:
+    joined = ", ".join(invalid_origins)
+    raise ImproperlyConfigured(
+        "DJANGO_CSRF_TRUSTED_ORIGINS contains unsafe values for production. "
+        f"Use explicit HTTPS origins only. Invalid: {joined}"
+    )
+
+unsafe_hosts = [host for host in ALLOWED_HOSTS if host in {"localhost", "127.0.0.1", "::1", "0.0.0.0"}]  # noqa: F405
+if unsafe_hosts:
+    joined = ", ".join(unsafe_hosts)
+    raise ImproperlyConfigured(
+        "DJANGO_ALLOWED_HOSTS contains localhost-style values in production. "
+        f"Invalid: {joined}"
+    )
 
 STORAGES = {
     "default": {