Serving a HTTPS only Django Application is very important to secure your users data. If your application have user authentication it is already a good reason to start using HTTPS only. Otherwise usernames and passwords will be exposed traveling over HTTP in plain text. Meaning if a user is using a public internet connection, and he logs in your application, he is vulnerable to a sniffer attack.
It is important to not only secure login, password change and payment pages with HTTPS, but the whole application. Otherwise you will be only protecting your user base only temporarily.
In this tutorial I will guide you through all the necessary steps to correctly secure your Django Application, using an inexpensive SSL certificate from Namecheap.
Getting a SSL Certificate
The first step is to get a SSL for your Django Application. There are a few options: you can generate your own certificate, you can get a free one from Let’s Encrypt or you can purchase one from the many companies on the internet.
In this tutorial I will use a simple commercial SSL certificate by Positive SSL registered from Namecheap. You can get it for $9.00/yr clicking here.
PS: I get commission for purchases using the link above.
Generate a CSR code
CSR stand for Certificate Signing Request and it is a base64 encoded data usually generated in the server-side.
Since we will be using Nginx for the web server, we will use openssl.
Usually CSR openssl configuration contains by default the details as follows below:
- Common Name (the domain name certificate should be issued for)
- State (or province)
- Locality (or city)
- Organizational Unit (Department)
- E-mail address
To generate the CSR code run the following code in your server terminal:
After hitting enter you should see something like that:
You will be prompted a few questions:
After answering all the questions, check if the files was created correctly:
Activate the SSL Certificate
Grab the contents of the file
designacademy.csr and paste it into the activation page:
After submitting the data, you will be asked to confirm it. Now it is time to validate that you actually own the domain. Usually there are three different ways to validate you own a domain: Email, HTTP-based or DNS-based. Pick the most suitable option for you. In my case, DNS-based it is.
Visit the details page to get the instructions to create the CNAME (in case you have selected the DNS-based validation).
Add a CNAME record with the given values:
Installing the SSL Certificate
After the activation process of your certificate, you should receive the necessary certificate files in your email address. It comes usually in a .zip archive containing the files:
Concatenate the two files:
Upload those files to your server using
Now you will need two files:
- designacademy.key (the key you genered while creating the CSR)
Copy both files to
Edit your virtual hosts file:
Restart the nginx:
And it is already working, serving all requests with HTTPS only:
Finally, add a few extra configurations to your
Restart your Django application and it is all set up.
I strongly recommend reading the official Django Documentation on SSL/HTTPS before
adding the extra configurations to your
settings.py, as if not done correctly can seriously expose your application.
Even though I’m using the Namecheap SSL certificate as an example, the steps described in this tutorial is applicable for any commercial SSL certificate.
If you want to purchase the same certificate I used in this tutorial, click in the link below:
Disclaimer: I get commission from purchases using the link above.