Django implementation checklist

Set DEBUG=False in the production settings to prevent the exposure of sensitive tracebacks and environment variables.

Ensure SECRET_KEY is loaded from an environment variable or a secret manager, and is not hardcoded in the repository.

Set SESSION_COOKIE_SECURE=True and CSRF_COOKIE_SECURE=True to ensure cookies are only transmitted over HTTPS.

Define ALLOWED_HOSTS with specific domain names to prevent HTTP Host header attacks.

Set SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS, and SECURE_HSTS_PRELOAD to enforce SSL at the browser level.

Set CONN_MAX_AGE to a value (e.g., 60) to persist database connections and reduce overhead on high-traffic sites.

Audit models for db_index=True or Meta.indexes on fields used in filtering and ordering to prevent full table scans.

Review views and serializers for missing select_related or prefetch_related calls on foreign key and many-to-many relationships.

Verify that all migrations have been applied and that no pending model changes exist via 'python manage.py makemigrations --check'.

Configure a database router if using read-replicas to offload SELECT queries from the primary write database.

Configure DEFAULT_THROTTLE_CLASSES and DEFAULT_THROTTLE_RATES in DRF settings to prevent API abuse.

Enforce DEFAULT_PAGINATION_CLASS for all list views to prevent large database dumps from crashing the application.

Configure django-cors-headers to only allow requests from trusted frontend origins.

Generate and verify OpenAPI/Swagger documentation using drf-spectacular or similar tools for consumer integration.

Remove BrowsableAPIRenderer from production settings to reduce response payload size and overhead.

Ensure Celery/Redis connections use TLS/SSL and that the broker is not accessible from the public internet.

Configure worker concurrency based on available CPU/RAM to prevent OOM (Out of Memory) kills during peak loads.

Set CELERY_RESULT_BACKEND_MAX_AGE to prevent the result backend database from growing indefinitely.

Implement retry logic with exponential backoff and a dead-letter queue for failing background tasks.

If using async views, configure the ASGI server (e.g., Daphne/Uvicorn) timeouts to match the expected load-balancer timeout.

Use ManifestStaticFilesStorage to enable cache-busting by appending MD5 hashes to filenames.

Configure WhiteNoise or a dedicated CDN to serve static files efficiently without hitting the Django process.

Ensure MEDIA_ROOT is pointed to a persistent volume or cloud storage (S3) rather than ephemeral container storage.

Run 'python manage.py collectstatic --noinput' as part of the CI/CD pipeline to verify asset integrity.

Enable Gzip or Brotli compression for static assets via WhiteNoise or Nginx configuration.

Configure JSON logging formatters to allow ELK or Splunk stacks to parse Django logs effectively.

Initialize Sentry or a similar SDK to capture unhandled exceptions and performance bottlenecks.

Implement a /health/ endpoint that checks database and cache connectivity for load balancer liveness probes.

Set up alerts for slow queries exceeding a specific millisecond threshold in the database layer.

Ensure file-based logs (if used) have rotation policies to prevent disk exhaustion.