Deployment Checklist

Before deploying your site to production it is important to go over some best practices and make sure your site is the most stable and secure. Provided here are some best practices related to django-windowsauth, IIS and LDAP.

See also

Check out Django’s deployment checklist too.

  1. Turn DEBUG off. Make sure to never get it active on a production setup.

  2. Store your secrets in a secure location. Here is a tutorial about Managing Secrets.

  3. Use a proper cache backend, and use WAUATH_USE_CACHE for better performance. More about Django’s cache framework

  4. Use a production ready database backend, not SQLite. django-mssql-backend is a great backend for Microsoft SQL Server.

  5. Configure ALLOWED_HOSTS and CSRF_TRUSTED_ORIGINS to exactly same as your IIS Bindings.

  6. Setup Django logging and Admin Error Reporting for your project. See more https://docs.djangoproject.com/en/3.1/topics/logging/.

  7. Enable and configure IIS Logging.

  8. Keep your site files on a separate drive from the OS. Consider doing the same for logs and media.

  9. Minimize to bare minimum permissions for the web.config files throughout your site.

  10. Configure HTTPS bindings for your website with a CA signed certificate.

  11. Use only HTTPS for your site, and configure HTTPS redirection with IIR Rewrite. Check out the --https flag for the createwebconfig command.

  12. Use only IIS Windows Authentication when possible.

  13. Protect your Django view using @login_required decorator and other authorization logics.

  14. Use SSL and NTLM or Kerberos authentication for your LDAP connection. See Securing LDAP Connections.

  15. Minimize the SESSION_COOKIE_AGE time and enable SESSION_EXPIRE_AT_BROWSER_CLOSE when using Windows Authentication as SSO. We recommend using 86400, 1 day in seconds.

  16. Customize Error Pages for a better user experience.

  17. Configure recycling times for your Application Pool at the least used time of the day.

  18. Consider increasing the Maximum Worker Processes in your Application Pool to accommodate for heavy loads.

  19. Setup Request Filtering to your site to limit unintended file access. You should deny access to “.py” and “.config” file extensions.

  20. Enable dynamic IP restrictions based of requests/ms.

See also

Some more great best practices for IIS are available at https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/iis-best-practices/ba-p/1241577