The system check framework is a set of static checks for validating Django projects. It detects common problems and provides hints for how to fix them. The framework is extensible so you can easily add your own checks.
For details on how to add your own checks and integrate them with Django’s system checks, see the System check topic guide.
CheckMessage
class CheckMessage(level, msg, hint, obj=None, id=None)
[source]
The warnings and errors raised by system checks must be instances of CheckMessage
. An instance encapsulates a single reportable error or warning. It also provides context and hints applicable to the message, and a unique identifier that is used for filtering purposes.
Constructor arguments are:
level
DEBUG
, INFO
, WARNING
, ERROR
, CRITICAL
. If the level is greater or equal to ERROR
, then Django will prevent management commands from executing. Messages with level lower than ERROR
(i.e. warnings) are reported to the console, but can be silenced.msg
hint
None
can be used.obj
__str__
method (on Python 2 you need to define __unicode__
method). The method is used while reporting all messages and its result precedes the message.id
applabel.X001
, where X
is one of the letters CEWID
, indicating the message severity (C
for criticals, E
for errors and so). The number can be allocated by the application, but should be unique within that application.There are subclasses to make creating messages with common levels easier. When using them you can omit the level
argument because it is implied by the class name.
class Debug(msg, hint, obj=None, id=None)
[source]
class Info(msg, hint, obj=None, id=None)
[source]
class Warning(msg, hint, obj=None, id=None)
[source]
class Error(msg, hint, obj=None, id=None)
[source]
class Critical(msg, hint, obj=None, id=None)
[source]
Django’s system checks are organized using the following tags:
models
: Checks governing model, field and manager definitions.signals
: Checks on signal declarations and handler registrations.admin
: Checks of any admin site declarations.compatibility
: Flagging potential problems with version upgrades.security
: Checks security related configuration.Some checks may be registered with multiple tags.
<swappable>
is not of the form app_label.app_name
.<SETTING>
references <model>
, which has not been installed, or is abstract.<app_label>.<model>
.id
can only be used as a field name if the field also sets primary_key=True
.<field name>
from parent model <model>
clashes with the field <field name>
from parent model <model>
.<field name>
from model <model>
.<field name>
has column name <column name>
that is used by another field.index_together
must be a list or tuple.index_together
elements must be lists or tuples.unique_together
must be a list or tuple.unique_together
elements must be lists or tuples.index_together/unique_together
refers to the non-existent field <field name>
.index_together/unique_together
refers to a ManyToManyField
<field name>
, but ManyToManyField
s are not supported for that option.ordering
must be a tuple or list (even if you want to order by only one field).ordering
refers to the non-existent field <field name>
.index_together/unique_together
refers to field <field_name>
which is not local to model <model>
.<model>
contains model fields.<field>
. Maximum length is <maximum length>
for database <alias>
.<M2M field>
. Maximum length is <maximum length>
for database <alias>
.<model>.check()
class method is currently overridden."__"
.pk
is a reserved word that cannot be used as a field name.choices
must be an iterable (e.g., a list or tuple).choices
must be an iterable returning (actual value,
human readable name)
tuples.db_index
must be None
, True
or False
.null=True
.AutoField
s must set primary_key=True.BooleanField
s do not accept null values.CharField
s must define a max_length
attribute.max_length
must be a positive integer.max_length
is ignored when used with IntegerField
.DecimalField
s must define a decimal_places
attribute.decimal_places
must be a non-negative integer.DecimalField
s must define a max_digits
attribute.max_digits
must be a non-negative integer.max_digits
must be greater or equal to decimal_places
.FilePathField
s must have either allow_files
or allow_folders
set to True.GenericIPAddressField
s cannot accept blank values if null values are not allowed, as blank values are stored as nulls.auto_now
, auto_now_add
, and default
are mutually exclusive. Only one of these options may be present.IPAddressField
has been deprecated. Support for it (except in historical migrations) will be removed in Django 1.9.unique
is not a valid argument for a FileField
.primary_key
is not a valid argument for a FileField
.ImageField
because Pillow is not installed.<model>
, which is either not installed, or is abstract.<model>
which has been swapped out.<field name>
clashes with field <field name>
.<field name>
clashes with field <field name>
.<field name>
clashes with accessor for <field name>
.<field name>
clashes with reverse query name for <field name>
.'+'
.<field1>
, <field2>
, ... on model <model>
have a unique=True
constraint.<model>
must set unique=True
because it is referenced by a ForeignKey
.on_delete=SET_NULL
, but cannot be null.on_delete=SET_DEFAULT
, but has no default value.ManyToManyField
s cannot be unique.<model>
, which has not been installed.<model>
, but it has more than two foreign keys to <model>
, which is ambiguous. You must specify which two foreign keys Django should use via the through_fields
keyword argument.<model>
, but it has more than one foreign key from <model>
, which is ambiguous. You must specify which foreign key Django should use via the through_fields
keyword argument.<model>
, but it has more than one foreign key to <model>
, which is ambiguous. You must specify which foreign key Django should use via the through_fields
keyword argument.<model>
, but it does not have foreign key to <model>
or <model>
.through_fields
but does not provide the names of the two link fields that should be used for the relation through <model>
.<through model>
has no field <field name>
.<model>.<field name>
is not a foreign key to <model>
.null
has no effect on ManyToManyField
.ManyToManyField
does not support validators
.unique=True
on a ForeignKey
has the same effect as using a OneToOneField
.<handler>
was connected to the <signal>
signal with a lazy reference to the <model>
sender, which has not been installed.The following checks are performed to warn the user of any potential problems that might occur as a result of a version upgrade.
BooleanField
does not have a default value. This check was removed in Django 1.8 due to false positives.MIDDLEWARE_CLASSES.
django.contrib.sessions.middleware.SessionMiddleware
, django.contrib.auth.middleware.AuthenticationMiddleware
, and django.contrib.messages.middleware.MessageMiddleware
were removed from the defaults. If your project needs these middleware then you should configure this setting.TEMPLATE_*
settings were deprecated in Django 1.8 and the TEMPLATES
dictionary takes precedence. You must put the values of the following settings into your defaults TEMPLATES
dict: TEMPLATE_DIRS
, ALLOWED_INCLUDE_ROOTS
, TEMPLATE_CONTEXT_PROCESSORS
, TEMPLATE_DEBUG
, TEMPLATE_LOADERS
, TEMPLATE_STRING_IF_INVALID
.Admin checks are all performed as part of the admin
tag.
The following checks are performed on any ModelAdmin
(or subclass) that is registered with the admin site:
raw_id_fields
must be a list or tuple.raw_id_fields[n]
refers to <field name>
, which is not an attribute of <model>
.raw_id_fields[n]
must be a ForeignKey
or ManyToManyField
.fields
must be a list or tuple.fieldsets
and fields
are specified.fields
contains duplicate field(s).fieldsets
must be a list or tuple.fieldsets[n]
must be a list or tuple.fieldsets[n]
must be of length 2.fieldsets[n][1]
must be a dictionary.fieldsets[n][1]
must contain the key fields
.fieldsets[n][1]
.fields[n]/fieldsets[n][m]
cannot include the ManyToManyField
<field name>
, because that field manually specifies a relationship model.exclude
must be a list or tuple.exclude
contains duplicate field(s).form
must inherit from BaseModelForm
.filter_vertical
must be a list or tuple.filter_horizontal
must be a list or tuple.filter_vertical[n]/filter_vertical[n]
refers to <field name>
, which is not an attribute of <model>
.filter_vertical[n]/filter_vertical[n]
must be a ManyToManyField
.radio_fields
must be a dictionary.radio_fields
refers to <field name>
, which is not an attribute of <model>
.radio_fields
refers to <field name>
, which is not a ForeignKey
, and does not have a choices
definition.radio_fields[<field name>]
must be either admin.HORIZONTAL
or admin.VERTICAL
.view_on_site
must be either a callable or a boolean value.prepopulated_fields
must be a dictionary.prepopulated_fields
refers to <field name>
, which is not an attribute of <model>
.prepopulated_fields
refers to <field name>
, which must not be a DateTimeField
, ForeignKey
or ManyToManyField
.prepopulated_fields[<field name>]
must be a list or tuple.prepopulated_fields
refers to <field name>
, which is not an attribute of <model>
.ordering
must be a list or tuple.ordering
has the random ordering marker ?
, but contains other fields as well.ordering
refers to <field name>
, which is not an attribute of <model>
.readonly_fields
must be a list or tuple.readonly_fields[n]
is not a callable, an attribute of <ModelAdmin class>
, or an attribute of <model>
.The following checks are performed on any ModelAdmin
that is registered with the admin site:
save_as
must be a boolean.save_on_top
must be a boolean.inlines
must be a list or tuple.<InlineModelAdmin class>
must inherit from BaseModelAdmin
.<InlineModelAdmin class>
must have a model
attribute.<InlineModelAdmin class>.model
must be a Model
.list_display
must be a list or tuple.list_display[n]
refers to <label>
, which is not a callable, an attribute of <ModelAdmin class>
, or an attribute or method on <model>
.list_display[n]
must not be a ManyToManyField
.list_display_links
must be a list, a tuple, or None
.list_display_links[n]
refers to <label>
, which is not defined in list_display
.list_filter
must be a list or tuple.list_filter[n]
must inherit from ListFilter
.list_filter[n]
must not inherit from FieldListFilter
.list_filter[n][1]
must inherit from FieldListFilter
.list_filter[n]
refers to <label>
, which does not refer to a Field.list_select_related
must be a boolean, tuple or list.list_per_page
must be an integer.list_max_show_all
must be an integer.list_editable
must be a list or tuple.list_editable[n]
refers to <label>
, which is not an attribute of <model>
.list_editable[n]
refers to <label>
, which is not contained in list_display
.list_editable[n]
cannot be in both list_editable
and list_display_links
.list_editable[n]
refers to the first field in list_display
(<label>
), which cannot be used unless list_display_links
is set.list_editable[n]
refers to <field name>
, which is not editable through the admin.search_fields
must be a list or tuple.date_hierarchy
refers to <field name>
, which is not an attribute of <model>
.date_hierarchy
must be a DateField
or DateTimeField
.The following checks are performed on any InlineModelAdmin
that is registered as an inline on a ModelAdmin
.
<field name>
, because it is the foreign key to the parent model <app_label>.<model>
.<model>
has no ForeignKey
to <parent model>
./ <model>
has more than one ForeignKey
to <parent model>
.extra
must be an integer.max_num
must be an integer.min_num
must be an integer.formset
must inherit from BaseModelFormSet
.The following checks are performed on any GenericInlineModelAdmin
that is registered as an inline on a ModelAdmin
.
'ct_field'
references <label>
, which is not a field on <model>
.'ct_fk_field'
references <label>
, which is not a field on <model>
.<model>
has no GenericForeignKey
.<model>
has no GenericForeignKey
using content type field <field name>
and object ID field <field name>
.REQUIRED_FIELDS
must be a list or tuple.USERNAME_FIELD
for a custom user model must not be included in REQUIRED_FIELDS
.<field>
must be unique because it is named as the USERNAME_FIELD
.<field>
is named as the USERNAME_FIELD
, but it is not unique.The following checks are performed when a model contains a GenericForeignKey
or GenericRelation
:
GenericForeignKey
object ID references the non-existent field <field>
.GenericForeignKey
content type references the non-existent field <field>
.<field>
is not a ForeignKey
.<field>
is not a ForeignKey
to contenttypes.ContentType
.The security checks do not make your site secure. They do not audit code, do intrusion detection, or do anything particularly complex. Rather, they help perform an automated, low-hanging-fruit checklist. They help you remember the simple things that improve your site’s security.
Some of these checks may not be appropriate for your particular deployment configuration. For instance, if you do your HTTP to HTTPS redirection in a load balancer, it’d be irritating to be constantly warned about not having enabled SECURE_SSL_REDIRECT
. Use SILENCED_SYSTEM_CHECKS
to silence unneeded checks.
The following checks will be run if you use the --deploy
option of the check
command:
django.middleware.security.SecurityMiddleware
in your MIDDLEWARE_CLASSES
so the SECURE_HSTS_SECONDS
, SECURE_CONTENT_TYPE_NOSNIFF
, SECURE_BROWSER_XSS_FILTER
, and SECURE_SSL_REDIRECT
settings will have no effect.django.middleware.clickjacking.XFrameOptionsMiddleware
in your MIDDLEWARE_CLASSES
, so your pages will not be served with an 'x-frame-options'
header. Unless there is a good reason for your site to be served in a frame, you should consider enabling this header to help prevent clickjacking attacks.django.middleware.csrf.CsrfViewMiddleware
is not in your MIDDLEWARE_CLASSES
). Enabling the middleware is the safest approach to ensure you don’t leave any holes.SECURE_HSTS_SECONDS
setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.SECURE_HSTS_INCLUDE_SUBDOMAINS
setting to True
. Without this, your site is potentially vulnerable to attack via an insecure connection to a subdomain. Only set this to True
if you are certain that all subdomains of your domain should be served exclusively via SSL.SECURE_CONTENT_TYPE_NOSNIFF
setting is not set to True
, so your pages will not be served with an 'x-content-type-options: nosniff'
header. You should consider enabling this header to prevent the browser from identifying content types incorrectly.SECURE_BROWSER_XSS_FILTER
setting is not set to True
, so your pages will not be served with an 'x-xss-protection: 1; mode=block'
header. You should consider enabling this header to activate the browser’s XSS filtering and help prevent XSS attacks.SECURE_SSL_REDIRECT
setting is not set to True
. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting to True
or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.SECRET_KEY
has less than 50 characters or less than 5 unique characters. Please generate a long and random SECRET_KEY
, otherwise many of Django’s security-critical features will be vulnerable to attack.django.contrib.sessions
in your INSTALLED_APPS
but you have not set SESSION_COOKIE_SECURE
to True
. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.django.contrib.sessions.middleware.SessionMiddleware
in your MIDDLEWARE_CLASSES
, but you have not set SESSION_COOKIE_SECURE
to True
. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.SESSION_COOKIE_SECURE
is not set to True
. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.django.contrib.sessions
in your INSTALLED_APPS
, but you have not set SESSION_COOKIE_HTTPONLY
to True
. Using an HttpOnly
session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.django.contrib.sessions.middleware.SessionMiddleware
in your MIDDLEWARE_CLASSES
, but you have not set SESSION_COOKIE_HTTPONLY
to True
. Using an HttpOnly
session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.SESSION_COOKIE_HTTPONLY
is not set to True
. Using an HttpOnly
session cookie makes it more difficult for cross-site scripting attacks to hijack user sessions.CSRF_COOKIE_SECURE
is not set to True
. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.CSRF_COOKIE_HTTPONLY
is not set to True
. Using an HttpOnly
CSRF cookie makes it more difficult for cross-site scripting attacks to steal the CSRF token.DEBUG
set to True
in deployment.django.middleware.clickjacking.XFrameOptionsMiddleware
in your MIDDLEWARE_CLASSES
, but X_FRAME_OPTIONS
is not set to 'DENY'
. The default is 'SAMEORIGIN'
, but unless there is a good reason for your site to serve other parts of itself in a frame, you should change it to 'DENY'
.The following checks are performed on any model using a CurrentSiteManager
:
CurrentSiteManager
could not find a field named <field name>
.CurrentSiteManager
cannot use <field>
as it is not a ForeignKey
or ManyToManyField
.If you’re using MySQL, the following checks will be performed:
CharField
s to have a max_length
> 255.
© Django Software Foundation and individual contributors
Licensed under the BSD License.
https://docs.djangoproject.com/en/1.8/ref/checks/