Take your blog live safely — production settings, secrets from the environment, static files with WhiteNoise, a real WSGI server with Gunicorn, and Django’s deploy checklist.
Why: the development defaults are unsafe in production. Turn DEBUG off (it leaks code and settings), list your real domains in ALLOWED_HOSTS, and read SECRET_KEY from the environment so it never lives in source control.
# config/settings.py
import os
DEBUG = False
SECRET_KEY = os.environ["DJANGO_SECRET_KEY"] # from the environment
ALLOWED_HOSTS = ["myblog.com", "www.myblog.com"]
# tell Django it sits behind an HTTPS proxy
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = TrueWhy: with DEBUG off, Django stops serving static files. WhiteNoise lets your app serve them itself — compressed and cached — with no separate web server. Note: add its middleware just below SecurityMiddleware, then run collectstatic.
pip install whitenoise gunicorn# config/settings.py
MIDDLEWARE = [
"django.middleware.security.SecurityMiddleware",
"whitenoise.middleware.WhiteNoiseMiddleware", # right after security
# ... the rest ...
]
STORAGES = {
"staticfiles": {
"BACKEND": "whitenoise.storage.CompressedManifestStaticFilesStorage",
},
}Why: runserver is single-threaded and insecure — never use it live. Gunicorn is a production WSGI server that runs multiple workers. Note: it points at the wsgi application in your config package. A process manager or container keeps it running.
Collect static files, then start the server:
python manage.py collectstatic --no-inputpython manage.py migrategunicorn config.wsgi --bind 0.0.0.0:8000 --workers 3Why: check --deploy audits your settings for common production mistakes — missing HTTPS flags, a weak SECRET_KEY, DEBUG left on — and prints exactly what to fix. Note: run it with your production settings active before every release.
python manage.py check --deployBefore going live, confirm: • DEBUG = False and ALLOWED_HOSTS is set • SECRET_KEY comes from the environment, not the repo • Database is PostgreSQL with credentials from env vars • collectstatic has run and WhiteNoise serves /static/ • HTTPS cookie + proxy settings are on • migrate has run against the production database