mirror of
https://github.com/django/django.git
synced 2024-11-29 22:56:46 +01:00
572 lines
28 KiB
Plaintext
572 lines
28 KiB
Plaintext
======================
|
|
System check framework
|
|
======================
|
|
|
|
.. currentmodule:: django.core.checks
|
|
|
|
The system check framework is a set of static checks for validating Django
|
|
projects. It detects common problems and provides hints for how to fix them.
|
|
The framework is extensible so you can easily add your own checks.
|
|
|
|
For details on how to add your own checks and integrate them with Django's
|
|
system checks, see the :doc:`System check topic guide </topics/checks>`.
|
|
|
|
API Reference
|
|
=============
|
|
|
|
``CheckMessage``
|
|
-----------------
|
|
|
|
.. class:: CheckMessage(level, msg, hint, obj=None, id=None)
|
|
|
|
The warnings and errors raised by system checks must be instances of
|
|
``CheckMessage``. An instance encapsulates a single reportable error or
|
|
warning. It also provides context and hints applicable to the message, and a
|
|
unique identifier that is used for filtering purposes.
|
|
|
|
Constructor arguments are:
|
|
|
|
``level``
|
|
The severity of the message. Use one of the predefined values: ``DEBUG``,
|
|
``INFO``, ``WARNING``, ``ERROR``, ``CRITICAL``. If the level is greater or
|
|
equal to ``ERROR``, then Django will prevent management commands from
|
|
executing. Messages with level lower than ``ERROR`` (i.e. warnings) are
|
|
reported to the console, but can be silenced.
|
|
|
|
``msg``
|
|
A short (less than 80 characters) string describing the problem. The string
|
|
should *not* contain newlines.
|
|
|
|
``hint``
|
|
A single-line string providing a hint for fixing the problem. If no hint
|
|
can be provided, or the hint is self-evident from the error message, the
|
|
hint can be omitted, or a value of ``None`` can be used.
|
|
|
|
``obj``
|
|
Optional. An object providing context for the message (for example, the
|
|
model where the problem was discovered). The object should be a model,
|
|
field, or manager or any other object that defines ``__str__`` method (on
|
|
Python 2 you need to define ``__unicode__`` method). The method is used
|
|
while reporting all messages and its result precedes the message.
|
|
|
|
``id``
|
|
Optional string. A unique identifier for the issue. Identifiers should
|
|
follow the pattern ``applabel.X001``, where ``X`` is one of the letters
|
|
``CEWID``, indicating the message severity (``C`` for criticals, ``E`` for
|
|
errors and so). The number can be allocated by the application, but should
|
|
be unique within that application.
|
|
|
|
There are subclasses to make creating messages with common levels easier. When
|
|
using them you can omit the ``level`` argument because it is implied by the
|
|
class name.
|
|
|
|
.. class:: Debug(msg, hint, obj=None, id=None)
|
|
.. class:: Info(msg, hint, obj=None, id=None)
|
|
.. class:: Warning(msg, hint, obj=None, id=None)
|
|
.. class:: Error(msg, hint, obj=None, id=None)
|
|
.. class:: Critical(msg, hint, obj=None, id=None)
|
|
|
|
Builtin checks
|
|
==============
|
|
|
|
Builtin tags
|
|
------------
|
|
|
|
Django's system checks are organized using the following tags:
|
|
|
|
* ``models``: Checks governing model, field and manager definitions.
|
|
* ``signals``: Checks on signal declarations and handler registrations.
|
|
* ``admin``: Checks of any admin site declarations.
|
|
* ``compatibility``: Flagging potential problems with version upgrades.
|
|
* ``security``: Checks security related configuration.
|
|
* ``templates``: Checks template related configuration.
|
|
|
|
Some checks may be registered with multiple tags.
|
|
|
|
Core system checks
|
|
------------------
|
|
|
|
Models
|
|
~~~~~~
|
|
|
|
* **models.E001**: ``<swappable>`` is not of the form ``app_label.app_name``.
|
|
* **models.E002**: ``<SETTING>`` references ``<model>``, which has not been
|
|
installed, or is abstract.
|
|
* **models.E003**: The model has two many-to-many relations through the
|
|
intermediate model ``<app_label>.<model>``.
|
|
* **models.E004**: ``id`` can only be used as a field name if the field also
|
|
sets ``primary_key=True``.
|
|
* **models.E005**: The field ``<field name>`` from parent model ``<model>``
|
|
clashes with the field ``<field name>`` from parent model ``<model>``.
|
|
* **models.E006**: The field clashes with the field ``<field name>`` from model
|
|
``<model>``.
|
|
* **models.E007**: Field ``<field name>`` has column name ``<column name>``
|
|
that is used by another field.
|
|
* **models.E008**: ``index_together`` must be a list or tuple.
|
|
* **models.E009**: All ``index_together`` elements must be lists or tuples.
|
|
* **models.E010**: ``unique_together`` must be a list or tuple.
|
|
* **models.E011**: All ``unique_together`` elements must be lists or tuples.
|
|
* **models.E012**: ``index_together/unique_together`` refers to the
|
|
non-existent field ``<field name>``.
|
|
* **models.E013**: ``index_together/unique_together`` refers to a
|
|
``ManyToManyField`` ``<field name>``, but ``ManyToManyField``\s are not
|
|
supported for that option.
|
|
* **models.E014**: ``ordering`` must be a tuple or list (even if you want to
|
|
order by only one field).
|
|
* **models.E015**: ``ordering`` refers to the non-existent field
|
|
``<field name>``.
|
|
* **models.E016**: ``index_together/unique_together`` refers to field
|
|
``<field_name>`` which is not local to model ``<model>``.
|
|
* **models.E017**: Proxy model ``<model>`` contains model fields.
|
|
* **models.E018**: Autogenerated column name too long for field ``<field>``.
|
|
Maximum length is ``<maximum length>`` for database ``<alias>``.
|
|
* **models.E019**: Autogenerated column name too long for M2M field
|
|
``<M2M field>``. Maximum length is ``<maximum length>`` for database
|
|
``<alias>``.
|
|
* **models.E020**: The ``<model>.check()`` class method is currently overridden.
|
|
* **models.E021**: ``ordering`` and ``order_with_respect_to`` cannot be used
|
|
together.
|
|
|
|
Fields
|
|
~~~~~~
|
|
|
|
* **fields.E001**: Field names must not end with an underscore.
|
|
* **fields.E002**: Field names must not contain ``"__"``.
|
|
* **fields.E003**: ``pk`` is a reserved word that cannot be used as a field
|
|
name.
|
|
* **fields.E004**: ``choices`` must be an iterable (e.g., a list or tuple).
|
|
* **fields.E005**: ``choices`` must be an iterable returning ``(actual value,
|
|
human readable name)`` tuples.
|
|
* **fields.E006**: ``db_index`` must be ``None``, ``True`` or ``False``.
|
|
* **fields.E007**: Primary keys must not have ``null=True``.
|
|
* **fields.E100**: ``AutoField``\s must set primary_key=True.
|
|
* **fields.E110**: ``BooleanField``\s do not accept null values.
|
|
* **fields.E120**: ``CharField``\s must define a ``max_length`` attribute.
|
|
* **fields.E121**: ``max_length`` must be a positive integer.
|
|
* **fields.W122**: ``max_length`` is ignored when used with ``IntegerField``.
|
|
* **fields.E130**: ``DecimalField``\s must define a ``decimal_places`` attribute.
|
|
* **fields.E131**: ``decimal_places`` must be a non-negative integer.
|
|
* **fields.E132**: ``DecimalField``\s must define a ``max_digits`` attribute.
|
|
* **fields.E133**: ``max_digits`` must be a non-negative integer.
|
|
* **fields.E134**: ``max_digits`` must be greater or equal to ``decimal_places``.
|
|
* **fields.E140**: ``FilePathField``\s must have either ``allow_files`` or
|
|
``allow_folders`` set to True.
|
|
* **fields.E150**: ``GenericIPAddressField``\s cannot accept blank values if
|
|
null values are not allowed, as blank values are stored as nulls.
|
|
* **fields.E160**: The options ``auto_now``, ``auto_now_add``, and ``default``
|
|
are mutually exclusive. Only one of these options may be present.
|
|
* **fields.W161**: Fixed default value provided.
|
|
* **fields.E900**: ``IPAddressField`` has been removed except for support in
|
|
historical migrations.
|
|
* **fields.W900**: ``IPAddressField`` has been deprecated. Support for it
|
|
(except in historical migrations) will be removed in Django 1.9. *This check
|
|
appeared in Django 1.7 and 1.8*.
|
|
|
|
File Fields
|
|
~~~~~~~~~~~
|
|
|
|
* **fields.E200**: ``unique`` is not a valid argument for a ``FileField``.
|
|
* **fields.E201**: ``primary_key`` is not a valid argument for a ``FileField``.
|
|
* **fields.E210**: Cannot use ``ImageField`` because Pillow is not installed.
|
|
|
|
Related Fields
|
|
~~~~~~~~~~~~~~
|
|
|
|
* **fields.E300**: Field defines a relation with model ``<model>``, which is
|
|
either not installed, or is abstract.
|
|
* **fields.E301**: Field defines a relation with the model ``<model>`` which
|
|
has been swapped out.
|
|
* **fields.E302**: Accessor for field ``<field name>`` clashes with field
|
|
``<field name>``.
|
|
* **fields.E303**: Reverse query name for field ``<field name>`` clashes with
|
|
field ``<field name>``.
|
|
* **fields.E304**: Field name ``<field name>`` clashes with accessor for
|
|
``<field name>``.
|
|
* **fields.E305**: Field name ``<field name>`` clashes with reverse query name
|
|
for ``<field name>``.
|
|
* **fields.E306**: Related name must be a valid Python identifier or end with
|
|
a ``'+'``.
|
|
* **fields.E310**: None of the fields ``<field1>``, ``<field2>``, ... on model
|
|
``<model>`` have a ``unique=True`` constraint.
|
|
* **fields.E311**: ``<model>`` must set ``unique=True`` because it is
|
|
referenced by a ``ForeignKey``.
|
|
* **fields.E320**: Field specifies ``on_delete=SET_NULL``, but cannot be null.
|
|
* **fields.E321**: The field specifies ``on_delete=SET_DEFAULT``, but has no
|
|
default value.
|
|
* **fields.E330**: ``ManyToManyField``\s cannot be unique.
|
|
* **fields.E331**: Field specifies a many-to-many relation through model
|
|
``<model>``, which has not been installed.
|
|
* **fields.E332**: Many-to-many fields with intermediate tables must not be
|
|
symmetrical.
|
|
* **fields.E333**: The model is used as an intermediate model by ``<model>``,
|
|
but it has more than two foreign keys to ``<model>``, which is ambiguous.
|
|
You must specify which two foreign keys Django should use via the
|
|
``through_fields`` keyword argument.
|
|
* **fields.E334**: The model is used as an intermediate model by ``<model>``,
|
|
but it has more than one foreign key from ``<model>``, which is ambiguous.
|
|
You must specify which foreign key Django should use via the
|
|
``through_fields`` keyword argument.
|
|
* **fields.E335**: The model is used as an intermediate model by ``<model>``,
|
|
but it has more than one foreign key to ``<model>``, which is ambiguous.
|
|
You must specify which foreign key Django should use via the
|
|
``through_fields`` keyword argument.
|
|
* **fields.E336**: The model is used as an intermediary model by ``<model>``,
|
|
but it does not have foreign key to ``<model>`` or ``<model>``.
|
|
* **fields.E337**: Field specifies ``through_fields`` but does not provide the
|
|
names of the two link fields that should be used for the relation through
|
|
``<model>``.
|
|
* **fields.E338**: The intermediary model ``<through model>`` has no field
|
|
``<field name>``.
|
|
* **fields.E339**: ``<model>.<field name>`` is not a foreign key to ``<model>``.
|
|
* **fields.W340**: ``null`` has no effect on ``ManyToManyField``.
|
|
* **fields.W341**: ``ManyToManyField`` does not support ``validators``.
|
|
* **fields.W342**: Setting ``unique=True`` on a ``ForeignKey`` has the same
|
|
effect as using a ``OneToOneField``.
|
|
|
|
Signals
|
|
~~~~~~~
|
|
|
|
* **signals.E001**: ``<handler>`` was connected to the ``<signal>`` signal with
|
|
a lazy reference to the ``<model>`` sender, which has not been installed.
|
|
|
|
Backwards Compatibility
|
|
~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
The following checks are performed to warn the user of any potential problems
|
|
that might occur as a result of a version upgrade.
|
|
|
|
* **1_6.W001**: Some project unit tests may not execute as expected. *This
|
|
check was removed in Django 1.8 due to false positives*.
|
|
* **1_6.W002**: ``BooleanField`` does not have a default value. *This
|
|
check was removed in Django 1.8 due to false positives*.
|
|
* **1_7.W001**: Django 1.7 changed the global defaults for the
|
|
``MIDDLEWARE_CLASSES.``
|
|
``django.contrib.sessions.middleware.SessionMiddleware``,
|
|
``django.contrib.auth.middleware.AuthenticationMiddleware``, and
|
|
``django.contrib.messages.middleware.MessageMiddleware`` were removed from
|
|
the defaults. If your project needs these middleware then you should
|
|
configure this setting. *This check was removed in Django 1.9*.
|
|
* **1_8.W001**: The standalone ``TEMPLATE_*`` settings were deprecated in
|
|
Django 1.8 and the :setting:`TEMPLATES` dictionary takes precedence. You must
|
|
put the values of the following settings into your defaults ``TEMPLATES``
|
|
dict: :setting:`TEMPLATE_DIRS`, :setting:`ALLOWED_INCLUDE_ROOTS`,
|
|
:setting:`TEMPLATE_CONTEXT_PROCESSORS`, :setting:`TEMPLATE_DEBUG`,
|
|
:setting:`TEMPLATE_LOADERS`, :setting:`TEMPLATE_STRING_IF_INVALID`.
|
|
|
|
Admin
|
|
-----
|
|
|
|
Admin checks are all performed as part of the ``admin`` tag.
|
|
|
|
The following checks are performed on any
|
|
:class:`~django.contrib.admin.ModelAdmin` (or subclass) that is registered
|
|
with the admin site:
|
|
|
|
* **admin.E001**: The value of ``raw_id_fields`` must be a list or tuple.
|
|
* **admin.E002**: The value of ``raw_id_fields[n]`` refers to ``<field name>``,
|
|
which is not an attribute of ``<model>``.
|
|
* **admin.E003**: The value of ``raw_id_fields[n]`` must be a ``ForeignKey`` or
|
|
``ManyToManyField``.
|
|
* **admin.E004**: The value of ``fields`` must be a list or tuple.
|
|
* **admin.E005**: Both ``fieldsets`` and ``fields`` are specified.
|
|
* **admin.E006**: The value of ``fields`` contains duplicate field(s).
|
|
* **admin.E007**: The value of ``fieldsets`` must be a list or tuple.
|
|
* **admin.E008**: The value of ``fieldsets[n]`` must be a list or tuple.
|
|
* **admin.E009**: The value of ``fieldsets[n]`` must be of length 2.
|
|
* **admin.E010**: The value of ``fieldsets[n][1]`` must be a dictionary.
|
|
* **admin.E011**: The value of ``fieldsets[n][1]`` must contain the key
|
|
``fields``.
|
|
* **admin.E012**: There are duplicate field(s) in ``fieldsets[n][1]``.
|
|
* **admin.E013**: ``fields[n]/fieldsets[n][m]`` cannot include the
|
|
``ManyToManyField`` ``<field name>``, because that field manually specifies a
|
|
relationship model.
|
|
* **admin.E014**: The value of ``exclude`` must be a list or tuple.
|
|
* **admin.E015**: The value of ``exclude`` contains duplicate field(s).
|
|
* **admin.E016**: The value of ``form`` must inherit from ``BaseModelForm``.
|
|
* **admin.E017**: The value of ``filter_vertical`` must be a list or tuple.
|
|
* **admin.E018**: The value of ``filter_horizontal`` must be a list or tuple.
|
|
* **admin.E019**: The value of ``filter_vertical[n]/filter_vertical[n]`` refers
|
|
to ``<field name>``, which is not an attribute of ``<model>``.
|
|
* **admin.E020**: The value of ``filter_vertical[n]/filter_vertical[n]`` must
|
|
be a ``ManyToManyField``.
|
|
* **admin.E021**: The value of ``radio_fields`` must be a dictionary.
|
|
* **admin.E022**: The value of ``radio_fields`` refers to ``<field name>``,
|
|
which is not an attribute of ``<model>``.
|
|
* **admin.E023**: The value of ``radio_fields`` refers to ``<field name>``,
|
|
which is not a ``ForeignKey``, and does not have a ``choices`` definition.
|
|
* **admin.E024**: The value of ``radio_fields[<field name>]`` must be either
|
|
``admin.HORIZONTAL`` or ``admin.VERTICAL``.
|
|
* **admin.E025**: The value of ``view_on_site`` must be either a callable or a
|
|
boolean value.
|
|
* **admin.E026**: The value of ``prepopulated_fields`` must be a dictionary.
|
|
* **admin.E027**: The value of ``prepopulated_fields`` refers to
|
|
``<field name>``, which is not an attribute of ``<model>``.
|
|
* **admin.E028**: The value of ``prepopulated_fields`` refers to
|
|
``<field name>``, which must not be a ``DateTimeField``, ``ForeignKey`` or
|
|
``ManyToManyField``.
|
|
* **admin.E029**: The value of ``prepopulated_fields[<field name>]`` must be a
|
|
list or tuple.
|
|
* **admin.E030**: The value of ``prepopulated_fields`` refers to
|
|
``<field name>``, which is not an attribute of ``<model>``.
|
|
* **admin.E031**: The value of ``ordering`` must be a list or tuple.
|
|
* **admin.E032**: The value of ``ordering`` has the random ordering marker
|
|
``?``, but contains other fields as well.
|
|
* **admin.E033**: The value of ``ordering`` refers to ``<field name>``, which
|
|
is not an attribute of ``<model>``.
|
|
* **admin.E034**: The value of ``readonly_fields`` must be a list or tuple.
|
|
* **admin.E035**: The value of ``readonly_fields[n]`` is not a callable, an
|
|
attribute of ``<ModelAdmin class>``, or an attribute of ``<model>``.
|
|
|
|
ModelAdmin
|
|
~~~~~~~~~~
|
|
|
|
The following checks are performed on any
|
|
:class:`~django.contrib.admin.ModelAdmin` that is registered
|
|
with the admin site:
|
|
|
|
* **admin.E101**: The value of ``save_as`` must be a boolean.
|
|
* **admin.E102**: The value of ``save_on_top`` must be a boolean.
|
|
* **admin.E103**: The value of ``inlines`` must be a list or tuple.
|
|
* **admin.E104**: ``<InlineModelAdmin class>`` must inherit from
|
|
``BaseModelAdmin``.
|
|
* **admin.E105**: ``<InlineModelAdmin class>`` must have a ``model`` attribute.
|
|
* **admin.E106**: The value of ``<InlineModelAdmin class>.model`` must be a
|
|
``Model``.
|
|
* **admin.E107**: The value of ``list_display`` must be a list or tuple.
|
|
* **admin.E108**: The value of ``list_display[n]`` refers to ``<label>``,
|
|
which is not a callable, an attribute of ``<ModelAdmin class>``, or an
|
|
attribute or method on ``<model>``.
|
|
* **admin.E109**: The value of ``list_display[n]`` must not be a
|
|
``ManyToManyField``.
|
|
* **admin.E110**: The value of ``list_display_links`` must be a list, a tuple,
|
|
or ``None``.
|
|
* **admin.E111**: The value of ``list_display_links[n]`` refers to ``<label>``,
|
|
which is not defined in ``list_display``.
|
|
* **admin.E112**: The value of ``list_filter`` must be a list or tuple.
|
|
* **admin.E113**: The value of ``list_filter[n]`` must inherit from
|
|
``ListFilter``.
|
|
* **admin.E114**: The value of ``list_filter[n]`` must not inherit from
|
|
``FieldListFilter``.
|
|
* **admin.E115**: The value of ``list_filter[n][1]`` must inherit from
|
|
``FieldListFilter``.
|
|
* **admin.E116**: The value of ``list_filter[n]`` refers to ``<label>``,
|
|
which does not refer to a Field.
|
|
* **admin.E117**: The value of ``list_select_related`` must be a boolean,
|
|
tuple or list.
|
|
* **admin.E118**: The value of ``list_per_page`` must be an integer.
|
|
* **admin.E119**: The value of ``list_max_show_all`` must be an integer.
|
|
* **admin.E120**: The value of ``list_editable`` must be a list or tuple.
|
|
* **admin.E121**: The value of ``list_editable[n]`` refers to ``<label>``,
|
|
which is not an attribute of ``<model>``.
|
|
* **admin.E122**: The value of ``list_editable[n]`` refers to ``<label>``,
|
|
which is not contained in ``list_display``.
|
|
* **admin.E123**: The value of ``list_editable[n]`` cannot be in both
|
|
``list_editable`` and ``list_display_links``.
|
|
* **admin.E124**: The value of ``list_editable[n]`` refers to the first field
|
|
in ``list_display`` (``<label>``), which cannot be used unless
|
|
``list_display_links`` is set.
|
|
* **admin.E125**: The value of ``list_editable[n]`` refers to ``<field name>``,
|
|
which is not editable through the admin.
|
|
* **admin.E126**: The value of ``search_fields`` must be a list or tuple.
|
|
* **admin.E127**: The value of ``date_hierarchy`` refers to ``<field name>``,
|
|
which is not an attribute of ``<model>``.
|
|
* **admin.E128**: The value of ``date_hierarchy`` must be a ``DateField`` or
|
|
``DateTimeField``.
|
|
|
|
InlineModelAdmin
|
|
~~~~~~~~~~~~~~~~
|
|
|
|
The following checks are performed on any
|
|
:class:`~django.contrib.admin.InlineModelAdmin` that is registered as an
|
|
inline on a :class:`~django.contrib.admin.ModelAdmin`.
|
|
|
|
* **admin.E201**: Cannot exclude the field ``<field name>``, because it is the
|
|
foreign key to the parent model ``<app_label>.<model>``.
|
|
* **admin.E202**: ``<model>`` has no ``ForeignKey`` to ``<parent model>``./
|
|
``<model>`` has more than one ``ForeignKey`` to ``<parent model>``.
|
|
* **admin.E203**: The value of ``extra`` must be an integer.
|
|
* **admin.E204**: The value of ``max_num`` must be an integer.
|
|
* **admin.E205**: The value of ``min_num`` must be an integer.
|
|
* **admin.E206**: The value of ``formset`` must inherit from
|
|
``BaseModelFormSet``.
|
|
|
|
GenericInlineModelAdmin
|
|
~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
The following checks are performed on any
|
|
:class:`~django.contrib.contenttypes.admin.GenericInlineModelAdmin` that is
|
|
registered as an inline on a :class:`~django.contrib.admin.ModelAdmin`.
|
|
|
|
* **admin.E301**: ``'ct_field'`` references ``<label>``, which is not a field
|
|
on ``<model>``.
|
|
* **admin.E302**: ``'ct_fk_field'`` references ``<label>``, which is not a
|
|
field on ``<model>``.
|
|
* **admin.E303**: ``<model>`` has no ``GenericForeignKey``.
|
|
* **admin.E304**: ``<model>`` has no ``GenericForeignKey`` using content type
|
|
field ``<field name>`` and object ID field ``<field name>``.
|
|
|
|
|
|
Auth
|
|
----
|
|
|
|
* **auth.E001**: ``REQUIRED_FIELDS`` must be a list or tuple.
|
|
* **auth.E002**: The field named as the ``USERNAME_FIELD`` for a custom user
|
|
model must not be included in ``REQUIRED_FIELDS``.
|
|
* **auth.E003**: ``<field>`` must be unique because it is named as the
|
|
``USERNAME_FIELD``.
|
|
* **auth.W004**: ``<field>`` is named as the ``USERNAME_FIELD``, but it is not
|
|
unique.
|
|
|
|
|
|
Content Types
|
|
-------------
|
|
|
|
The following checks are performed when a model contains a
|
|
:class:`~django.contrib.contenttypes.fields.GenericForeignKey` or
|
|
:class:`~django.contrib.contenttypes.fields.GenericRelation`:
|
|
|
|
* **contenttypes.E001**: The ``GenericForeignKey`` object ID references the
|
|
non-existent field ``<field>``.
|
|
* **contenttypes.E002**: The ``GenericForeignKey`` content type references the
|
|
non-existent field ``<field>``.
|
|
* **contenttypes.E003**: ``<field>`` is not a ``ForeignKey``.
|
|
* **contenttypes.E004**: ``<field>`` is not a ``ForeignKey`` to
|
|
``contenttypes.ContentType``.
|
|
|
|
Security
|
|
--------
|
|
|
|
The security checks do not make your site secure. They do not audit code, do
|
|
intrusion detection, or do anything particularly complex. Rather, they help
|
|
perform an automated, low-hanging-fruit checklist. They help you remember the
|
|
simple things that improve your site's security.
|
|
|
|
Some of these checks may not be appropriate for your particular deployment
|
|
configuration. For instance, if you do your HTTP to HTTPS redirection in a load
|
|
balancer, it'd be irritating to be constantly warned about not having enabled
|
|
:setting:`SECURE_SSL_REDIRECT`. Use :setting:`SILENCED_SYSTEM_CHECKS` to
|
|
silence unneeded checks.
|
|
|
|
The following checks will be run if you use the :djadminopt:`--deploy` option
|
|
of the :djadmin:`check` command:
|
|
|
|
* **security.W001**: You do not have
|
|
:class:`django.middleware.security.SecurityMiddleware` in your
|
|
:setting:`MIDDLEWARE_CLASSES` so the :setting:`SECURE_HSTS_SECONDS`,
|
|
:setting:`SECURE_CONTENT_TYPE_NOSNIFF`, :setting:`SECURE_BROWSER_XSS_FILTER`,
|
|
and :setting:`SECURE_SSL_REDIRECT` settings will have no effect.
|
|
* **security.W002**: You do not have
|
|
:class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
|
|
:setting:`MIDDLEWARE_CLASSES`, so your pages will not be served with an
|
|
``'x-frame-options'`` header. Unless there is a good reason for your
|
|
site to be served in a frame, you should consider enabling this
|
|
header to help prevent clickjacking attacks.
|
|
* **security.W003**: You don't appear to be using Django's built-in cross-site
|
|
request forgery protection via the middleware
|
|
(:class:`django.middleware.csrf.CsrfViewMiddleware` is not in your
|
|
:setting:`MIDDLEWARE_CLASSES`). Enabling the middleware is the safest
|
|
approach to ensure you don't leave any holes.
|
|
* **security.W004**: You have not set a value for the
|
|
:setting:`SECURE_HSTS_SECONDS` setting. If your entire site is served only
|
|
over SSL, you may want to consider setting a value and enabling :ref:`HTTP
|
|
Strict Transport Security <http-strict-transport-security>`. Be sure to read
|
|
the documentation first; enabling HSTS carelessly can cause serious,
|
|
irreversible problems.
|
|
* **security.W005**: You have not set the
|
|
:setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` setting to ``True``. Without this,
|
|
your site is potentially vulnerable to attack via an insecure connection to a
|
|
subdomain. Only set this to ``True`` if you are certain that all subdomains of
|
|
your domain should be served exclusively via SSL.
|
|
* **security.W006**: Your :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting is not
|
|
set to ``True``, so your pages will not be served with an
|
|
``'x-content-type-options: nosniff'`` header. You should consider enabling
|
|
this header to prevent the browser from identifying content types incorrectly.
|
|
* **security.W007**: Your :setting:`SECURE_BROWSER_XSS_FILTER` setting is not
|
|
set to ``True``, so your pages will not be served with an
|
|
``'x-xss-protection: 1; mode=block'`` header. You should consider enabling
|
|
this header to activate the browser's XSS filtering and help prevent XSS
|
|
attacks.
|
|
* **security.W008**: Your :setting:`SECURE_SSL_REDIRECT` setting is not set to
|
|
``True``. Unless your site should be available over both SSL and non-SSL
|
|
connections, you may want to either set this setting to ``True`` or configure
|
|
a load balancer or reverse-proxy server to redirect all connections to HTTPS.
|
|
* **security.W009**: Your :setting:`SECRET_KEY` has less than 50 characters or
|
|
less than 5 unique characters. Please generate a long and random
|
|
``SECRET_KEY``, otherwise many of Django's security-critical features will be
|
|
vulnerable to attack.
|
|
* **security.W010**: You have :mod:`django.contrib.sessions` in your
|
|
:setting:`INSTALLED_APPS` but you have not set
|
|
:setting:`SESSION_COOKIE_SECURE` to ``True``. Using a secure-only session
|
|
cookie makes it more difficult for network traffic sniffers to hijack user
|
|
sessions.
|
|
* **security.W011**: You have
|
|
:class:`django.contrib.sessions.middleware.SessionMiddleware` in your
|
|
:setting:`MIDDLEWARE_CLASSES`, but you have not set
|
|
:setting:`SESSION_COOKIE_SECURE` to ``True``. Using a secure-only session
|
|
cookie makes it more difficult for network traffic sniffers to hijack user
|
|
sessions.
|
|
* **security.W012**: :setting:`SESSION_COOKIE_SECURE` is not set to ``True``.
|
|
Using a secure-only session cookie makes it more difficult for network traffic
|
|
sniffers to hijack user sessions.
|
|
* **security.W013**: You have :mod:`django.contrib.sessions` in your
|
|
:setting:`INSTALLED_APPS`, but you have not set
|
|
:setting:`SESSION_COOKIE_HTTPONLY` to ``True``. Using an ``HttpOnly`` session
|
|
cookie makes it more difficult for cross-site scripting attacks to hijack user
|
|
sessions.
|
|
* **security.W014**: You have
|
|
:class:`django.contrib.sessions.middleware.SessionMiddleware` in your
|
|
:setting:`MIDDLEWARE_CLASSES`, but you have not set
|
|
:setting:`SESSION_COOKIE_HTTPONLY` to ``True``. Using an ``HttpOnly`` session
|
|
cookie makes it more difficult for cross-site scripting attacks to hijack user
|
|
sessions.
|
|
* **security.W015**: :setting:`SESSION_COOKIE_HTTPONLY` is not set to ``True``.
|
|
Using an ``HttpOnly`` session cookie makes it more difficult for cross-site
|
|
scripting attacks to hijack user sessions.
|
|
* **security.W016**: :setting:`CSRF_COOKIE_SECURE` is not set to ``True``.
|
|
Using a secure-only CSRF cookie makes it more difficult for network traffic
|
|
sniffers to steal the CSRF token.
|
|
* **security.W017**: :setting:`CSRF_COOKIE_HTTPONLY` is not set to ``True``.
|
|
Using an ``HttpOnly`` CSRF cookie makes it more difficult for cross-site
|
|
scripting attacks to steal the CSRF token.
|
|
* **security.W018**: You should not have :setting:`DEBUG` set to ``True`` in
|
|
deployment.
|
|
* **security.W019**: You have
|
|
:class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
|
|
:setting:`MIDDLEWARE_CLASSES`, but :setting:`X_FRAME_OPTIONS` is not set to
|
|
``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason
|
|
for your site to serve other parts of itself in a frame, you should change
|
|
it to ``'DENY'``.
|
|
* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
|
|
|
|
Sites
|
|
-----
|
|
|
|
The following checks are performed on any model using a
|
|
:class:`~django.contrib.sites.managers.CurrentSiteManager`:
|
|
|
|
* **sites.E001**: ``CurrentSiteManager`` could not find a field named
|
|
``<field name>``.
|
|
* **sites.E002**: ``CurrentSiteManager`` cannot use ``<field>`` as it is not a
|
|
``ForeignKey`` or ``ManyToManyField``.
|
|
|
|
Database
|
|
--------
|
|
|
|
MySQL
|
|
~~~~~
|
|
|
|
If you're using MySQL, the following checks will be performed:
|
|
|
|
* **mysql.E001**: MySQL does not allow unique ``CharField``\s to have a
|
|
``max_length`` > 255.
|
|
|
|
Templates
|
|
---------
|
|
|
|
The following checks verify that your :setting:`TEMPLATES` setting is correctly
|
|
configured:
|
|
|
|
* **templates.E001**: You have ``'APP_DIRS': True`` in your
|
|
:setting:`TEMPLATES` but also specify ``'loaders'`` in ``OPTIONS``. Either
|
|
remove ``APP_DIRS`` or remove the ``'loaders'`` option.
|