Security Overview

next.dj relies on Django’s middleware stack and template engine for the bulk of its security guarantees. This page lists the Django mechanisms that apply unchanged and the framework specific surfaces that need extra attention.

Django Guarantees Used Unchanged

The framework does not bypass any standard Django middleware.

  • CSRF tokens flow through the standard CsrfViewMiddleware.

  • Session management uses the standard SessionMiddleware.

  • Authentication uses AuthenticationMiddleware and the standard auth backends.

  • Permissions checking, password hashing, and signed cookies remain unchanged.

  • Django template engine auto escaping is active for every page and component template.

A standard MIDDLEWARE block in settings.py is therefore enough to inherit the full Django security baseline.

Framework Specific Surfaces

The framework adds three surfaces that warrant attention.

File router input.

Captured URL parameters and query values reach Python through the dependency resolver. Treat them as untrusted, see DI and Untrusted Input.

Form dispatch path.

/_next/form/<uid>/ is the dispatch endpoint for every action. See CSRF and Forms for the CSRF flow.

Co-located assets.

Component and page level CSS and JS ship through the static collector. See Static Asset Security for origins, hashes, and integrity.

Common Threats

CSRF.

Django middleware plus the framework {% form %} tag covers the standard form path. Manual <form> elements need explicit {% csrf_token %}.

XSS.

Django template auto escaping prevents most cases. Context functions that return mark_safe strings or HTML strings bypass escaping. Apply mark_safe only to values you fully control, and never to untrusted input as covered in DI and Untrusted Input.

SQL injection.

The Django ORM uses parameterised queries. Raw SQL inside a custom provider must use params. See DI and Untrusted Input for the custom-provider validation pattern.

Mass assignment.

Use ModelForm.Meta.fields to whitelist editable fields. Avoid Meta.exclude because new fields default to editable.

Path traversal.

The form dispatcher validates the posted _next_form_page path against BASE_DIR. A submission that points outside BASE_DIR returns HTTP 400.

Open redirect.

HttpResponseRedirect accepts any URL. Validate destinations before passing user input into a redirect target.

Production Hardening

A short list of production specific settings.

  • Set SECURE_SSL_REDIRECT = True to redirect every HTTP request to HTTPS.

  • Set SECURE_CONTENT_TYPE_NOSNIFF = True to block MIME-type sniffing.

  • Set SECURE_HSTS_SECONDS = 31536000 to send a one-year HSTS header.

  • Set SECURE_HSTS_INCLUDE_SUBDOMAINS = True to extend HSTS to all subdomains.

  • Set SECURE_HSTS_PRELOAD = True to allow submission to the HSTS preload list.

  • Set SESSION_COOKIE_SECURE = True to send the session cookie only over HTTPS.

  • Set CSRF_COOKIE_SECURE = True to send the CSRF cookie only over HTTPS.

  • Set CSRF_TRUSTED_ORIGINS = ["https://..."] to restrict cross-origin form submissions to listed origins.

Run uv run python manage.py check --deploy and resolve every warning. See Deployment Checklist for the full pre-deploy review.

System Checks

The framework system checks cover configuration mistakes that affect security.

  • next.E041 reports two actions registered under the same name from different handlers.

  • next.E045 reports a form action backend that does not subclass FormActionBackend.

  • next.E020 reports a component name collision that could mask a third party component.

Run them with uv run python manage.py check.

See Also

See also

CSRF and Forms for the form pipeline. Static Asset Security for the static pipeline. DI and Untrusted Input for the dependency surface. JavaScript Context for runtime script options that interact with CSP. Reporting a Vulnerability for vulnerability disclosure.