# Module 09: Deployment Basics

**Estimated Time:** 2 hours  
**Difficulty:** ⭐⭐

---

## Prerequisites

Before starting this module, ensure you've completed:

- ✅ **Module 00-07: Django fundamentals**
- ✅ **Module 08: User Authentication**
- ✅ **Completed blog application**

---

## Learning Objectives

By the end of this module, you will:

- ✅ Understand production vs development environments
- ✅ Configure environment variables with python-decouple
- ✅ Secure sensitive data (SECRET_KEY, passwords)
- ✅ Set up production-ready settings
- ✅ Run Django security checklist
- ✅ Configure static and media files for production
- ✅ Implement security best practices
- ✅ Prepare Django project for deployment

---

## 1. Introduction to Deployment

### Development vs Production

| Feature | Development | Production |
|---------|-------------|------------|
| DEBUG | `True` | `False` |
| SECRET_KEY | Hardcoded | Environment variable |
| Database | SQLite | PostgreSQL/MySQL |
| Static files | Django serves | Web server serves |
| ALLOWED_HOSTS | `[]` | Specific domains |
| Security | Relaxed | Strict |
| Error handling | Detailed | Generic |

### Why Production Settings Matter
- **Security**: Protect sensitive data
- **Performance**: Optimize for speed
- **Reliability**: Handle errors gracefully
- **Scalability**: Support multiple users

In [None]:
from pathlib import Path
import os

# Setup paths
notebook_dir = Path.cwd()
project_path = notebook_dir.parent / "projects" / "myblog"
settings_file = project_path / "myblog" / "settings.py"

print(f"Project: {project_path}")
print(f"Settings file: {settings_file}")

## 2. Environment Variables Setup

Use `python-decouple` to manage environment-specific settings.

In [None]:
# Create .env file
env_template = """# Django settings
SECRET_KEY=your-secret-key-here-change-this-in-production
DEBUG=True
ALLOWED_HOSTS=localhost,127.0.0.1

# Database (for production)
DB_NAME=myblog_db
DB_USER=postgres
DB_PASSWORD=your-db-password
DB_HOST=localhost
DB_PORT=5432

# Email settings (for production)
EMAIL_HOST=smtp.gmail.com
EMAIL_PORT=587
EMAIL_USE_TLS=True
EMAIL_HOST_USER=your-email@gmail.com
EMAIL_HOST_PASSWORD=your-email-password

# Security (production only)
SECURE_SSL_REDIRECT=False
SESSION_COOKIE_SECURE=False
CSRF_COOKIE_SECURE=False
"""

with open(project_path / ".env", "w") as f:
    f.write(env_template)

print("✓ .env file created!")
print("\nIMPORTANT: Never commit .env to version control!")
print("Add to .gitignore:")
print("  .env")
print("  *.env")

In [None]:
# Create .env.example for documentation
env_example = """# Django settings
SECRET_KEY=your-secret-key-here
DEBUG=True
ALLOWED_HOSTS=localhost,127.0.0.1

# Database
DB_NAME=your_database_name
DB_USER=your_database_user
DB_PASSWORD=your_database_password
DB_HOST=localhost
DB_PORT=5432

# Email
EMAIL_HOST=smtp.gmail.com
EMAIL_PORT=587
EMAIL_USE_TLS=True
EMAIL_HOST_USER=your-email@example.com
EMAIL_HOST_PASSWORD=your-app-password

# Security (set to True in production)
SECURE_SSL_REDIRECT=False
SESSION_COOKIE_SECURE=False
CSRF_COOKIE_SECURE=False
"""

with open(project_path / ".env.example", "w") as f:
    f.write(env_example)

print("✓ .env.example created!")
print("\nThis file can be committed to version control as a template.")

## 3. Update .gitignore

Ensure sensitive files are not tracked by Git.

In [None]:
# Create/update .gitignore
gitignore_content = """# Python
*.py[cod]
*$py.class
__pycache__/
*.so
*.egg
*.egg-info/
dist/
build/
.Python
venv/
env/
ENV/

# Django
*.log
local_settings.py
db.sqlite3
db.sqlite3-journal
media/
staticfiles/

# Environment variables
.env
*.env

# IDE
.vscode/
.idea/
*.swp
*.swo
*~

# OS
.DS_Store
Thumbs.db
"""

with open(project_path / ".gitignore", "w") as f:
    f.write(gitignore_content)

print("✓ .gitignore created/updated!")
print("\nProtected files:")
print("  - .env (secrets)")
print("  - db.sqlite3 (database)")
print("  - media/ (uploaded files)")
print("  - staticfiles/ (collected static)")

## 4. Production-Ready Settings

Update `settings.py` to use environment variables.

In [None]:
# Production settings template
production_settings = '''"""Django settings for myblog project."""

from pathlib import Path
from decouple import config, Csv
import os

# Build paths
BASE_DIR = Path(__file__).resolve().parent.parent

# Security settings
SECRET_KEY = config('SECRET_KEY')
DEBUG = config('DEBUG', default=False, cast=bool)
ALLOWED_HOSTS = config('ALLOWED_HOSTS', cast=Csv())

# Application definition
INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    
    # Local apps
    'blog',
    'accounts',
    
    # Third-party apps
    'django_extensions',
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

ROOT_URLCONF = 'myblog.urls'

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [BASE_DIR / 'templates'],
        'APP_DIRS': True,
        'OPTIONS': {
            'context_processors': [
                'django.template.context_processors.debug',
                'django.template.context_processors.request',
                'django.contrib.auth.context_processors.auth',
                'django.contrib.messages.context_processors.messages',
            ],
        },
    },
]

WSGI_APPLICATION = 'myblog.wsgi.application'

# Database
# Use PostgreSQL in production, SQLite in development
if DEBUG:
    DATABASES = {
        'default': {
            'ENGINE': 'django.db.backends.sqlite3',
            'NAME': BASE_DIR / 'db.sqlite3',
        }
    }
else:
    DATABASES = {
        'default': {
            'ENGINE': 'django.db.backends.postgresql',
            'NAME': config('DB_NAME'),
            'USER': config('DB_USER'),
            'PASSWORD': config('DB_PASSWORD'),
            'HOST': config('DB_HOST', default='localhost'),
            'PORT': config('DB_PORT', default='5432'),
        }
    }

# Password validation
AUTH_PASSWORD_VALIDATORS = [
    {'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator'},
    {'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator'},
    {'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator'},
    {'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator'},
]

# Internationalization
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_TZ = True

# Static files
STATIC_URL = '/static/'
STATIC_ROOT = BASE_DIR / 'staticfiles'
STATICFILES_DIRS = [BASE_DIR / 'static']

# Media files
MEDIA_URL = '/media/'
MEDIA_ROOT = BASE_DIR / 'media'

# Default primary key field type
DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'

# Authentication
LOGIN_URL = '/accounts/login/'
LOGIN_REDIRECT_URL = '/'
LOGOUT_REDIRECT_URL = '/'

# Email configuration
if DEBUG:
    EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
else:
    EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'
    EMAIL_HOST = config('EMAIL_HOST')
    EMAIL_PORT = config('EMAIL_PORT', cast=int)
    EMAIL_USE_TLS = config('EMAIL_USE_TLS', cast=bool)
    EMAIL_HOST_USER = config('EMAIL_HOST_USER')
    EMAIL_HOST_PASSWORD = config('EMAIL_HOST_PASSWORD')

# Security settings for production
if not DEBUG:
    SECURE_SSL_REDIRECT = config('SECURE_SSL_REDIRECT', default=True, cast=bool)
    SESSION_COOKIE_SECURE = config('SESSION_COOKIE_SECURE', default=True, cast=bool)
    CSRF_COOKIE_SECURE = config('CSRF_COOKIE_SECURE', default=True, cast=bool)
    SECURE_BROWSER_XSS_FILTER = True
    SECURE_CONTENT_TYPE_NOSNIFF = True
    X_FRAME_OPTIONS = 'DENY'
    SECURE_HSTS_SECONDS = 31536000  # 1 year
    SECURE_HSTS_INCLUDE_SUBDOMAINS = True
    SECURE_HSTS_PRELOAD = True
'''

print("Production settings structure:")
print("\n✓ Uses environment variables for sensitive data")
print("✓ Different database for dev/prod")
print("✓ Different email backend for dev/prod")
print("✓ Security settings enabled in production")
print("✓ HTTPS enforcement in production")
print("\nNOTE: Update your actual settings.py with this structure")

## 5. Generate a Secure SECRET_KEY

In [None]:
# Generate a new SECRET_KEY
from django.core.management.utils import get_random_secret_key

new_secret_key = get_random_secret_key()
print("Generated SECRET_KEY:")
print(new_secret_key)
print("\nAdd this to your .env file:")
print(f"SECRET_KEY={new_secret_key}")
print("\n⚠️  NEVER share or commit this key!")

## 6. Django Security Checklist

Run Django's built-in security check.

In [None]:
# Security checklist information
security_checklist = """
Run these commands to check security:

1. Basic security check:
   python manage.py check --deploy

2. Check for common issues:
   python manage.py check

Common warnings and fixes:

⚠️  SECRET_KEY disclosure
   Fix: Use environment variables (already done)

⚠️  DEBUG = True in production
   Fix: Set DEBUG=False in .env for production

⚠️  ALLOWED_HOSTS not set
   Fix: Set ALLOWED_HOSTS in .env

⚠️  SECURE_SSL_REDIRECT not enabled
   Fix: Enable in production (already configured)

⚠️  SESSION_COOKIE_SECURE not True
   Fix: Enable in production (already configured)

⚠️  CSRF_COOKIE_SECURE not True
   Fix: Enable in production (already configured)
"""

print(security_checklist)

## 7. Static Files for Production

In [None]:
# Static files information
static_files_info = """
Collecting static files for production:

1. Ensure settings are correct:
   STATIC_URL = '/static/'
   STATIC_ROOT = BASE_DIR / 'staticfiles'
   STATICFILES_DIRS = [BASE_DIR / 'static']

2. Collect all static files:
   python manage.py collectstatic

3. What this does:
   - Copies all static files from apps
   - Copies from STATICFILES_DIRS
   - Places everything in STATIC_ROOT
   - Web server serves from STATIC_ROOT

4. In production:
   - Django doesn't serve static files
   - Web server (Nginx/Apache) serves them
   - Much faster and more efficient

File structure after collectstatic:
  staticfiles/
  ├── admin/          (Django admin static files)
  ├── blog/           (Your blog app static files)
  └── ...             (Other app static files)
"""

print(static_files_info)

## 8. Database Migration Strategy

In [None]:
# Database migration workflow
migration_workflow = """
Production database migration workflow:

1. Development:
   python manage.py makemigrations
   python manage.py migrate
   git add migrations/
   git commit -m "Add migrations"

2. Production deployment:
   # Pull latest code
   git pull origin main
   
   # Run migrations
   python manage.py migrate
   
   # Collect static files
   python manage.py collectstatic --no-input
   
   # Restart web server
   sudo systemctl restart gunicorn

3. Backup before migrations:
   # PostgreSQL backup
   pg_dump dbname > backup.sql
   
   # PostgreSQL restore (if needed)
   psql dbname < backup.sql

Best practices:
  ✓ Always backup before migrations
  ✓ Test migrations in staging first
  ✓ Never edit migration files manually
  ✓ Keep migrations in version control
  ✓ Run migrations during low-traffic periods
"""

print(migration_workflow)

## 9. Production Deployment Checklist

In [None]:
# Create deployment checklist
deployment_checklist = """# Django Production Deployment Checklist

## Pre-Deployment

### Security
- [ ] Set DEBUG=False in production
- [ ] Use environment variables for SECRET_KEY
- [ ] Set ALLOWED_HOSTS to your domain(s)
- [ ] Enable HTTPS (SSL certificate)
- [ ] Set SECURE_SSL_REDIRECT=True
- [ ] Set SESSION_COOKIE_SECURE=True
- [ ] Set CSRF_COOKIE_SECURE=True
- [ ] Run python manage.py check --deploy

### Database
- [ ] Use PostgreSQL/MySQL (not SQLite)
- [ ] Create database backup strategy
- [ ] Set up database credentials in .env
- [ ] Test database connections
- [ ] Run all migrations

### Static & Media Files
- [ ] Set STATIC_ROOT correctly
- [ ] Set MEDIA_ROOT correctly
- [ ] Run collectstatic
- [ ] Configure web server to serve static files
- [ ] Set up media file storage (S3/local)

### Email
- [ ] Configure email backend (SMTP)
- [ ] Test email sending
- [ ] Set up email credentials in .env

### Code Quality
- [ ] All tests passing
- [ ] No hardcoded credentials
- [ ] .env not in version control
- [ ] requirements.txt up to date
- [ ] Remove unused dependencies

## Deployment

### Server Setup
- [ ] Install Python (correct version)
- [ ] Install PostgreSQL/MySQL
- [ ] Install web server (Nginx/Apache)
- [ ] Install WSGI server (Gunicorn/uWSGI)
- [ ] Create virtual environment
- [ ] Install dependencies (pip install -r requirements.txt)

### Django Setup
- [ ] Copy .env file (with production values)
- [ ] Run migrations
- [ ] Create superuser
- [ ] Collect static files
- [ ] Test application

### Web Server Configuration
- [ ] Configure Nginx/Apache
- [ ] Set up WSGI application
- [ ] Configure static file serving
- [ ] Configure media file serving
- [ ] Set up SSL certificate
- [ ] Test server configuration

## Post-Deployment

### Monitoring
- [ ] Set up error logging
- [ ] Configure monitoring (Sentry/New Relic)
- [ ] Set up uptime monitoring
- [ ] Monitor server resources

### Backup
- [ ] Set up automated database backups
- [ ] Set up media file backups
- [ ] Test backup restoration

### Performance
- [ ] Enable caching (Redis/Memcached)
- [ ] Optimize database queries
- [ ] Enable GZIP compression
- [ ] Set up CDN for static files

### Security
- [ ] Set up firewall rules
- [ ] Disable root SSH login
- [ ] Keep server updated
- [ ] Regular security audits
"""

with open(project_path / "DEPLOYMENT_CHECKLIST.md", "w") as f:
    f.write(deployment_checklist)

print("✓ Deployment checklist created!")
print(f"\nSaved to: {project_path / 'DEPLOYMENT_CHECKLIST.md'}")

## 10. Requirements File for Production

In [None]:
# Update requirements.txt with production dependencies
production_requirements = """# Core
Django>=4.2,<5.0
python-decouple>=3.8

# Database
psycopg2-binary>=2.9.0  # PostgreSQL adapter

# WSGI Server
gunicorn>=21.2.0

# Static files
whitenoise>=6.5.0  # Simplified static file serving

# Image processing
Pillow>=10.0.0

# Development tools (optional)
django-extensions>=3.2.0

# Security
django-cors-headers>=4.0.0  # If using CORS

# Monitoring (optional)
sentry-sdk>=1.32.0  # Error tracking
"""

print("Production requirements.txt:")
print(production_requirements)
print("\n✓ Install with: pip install -r requirements.txt")

## 11. WhiteNoise for Static Files

WhiteNoise simplifies static file serving in production.

In [None]:
# WhiteNoise configuration
whitenoise_config = """
WhiteNoise Setup:

1. Install:
   pip install whitenoise

2. Add to MIDDLEWARE in settings.py:
   MIDDLEWARE = [
       'django.middleware.security.SecurityMiddleware',
       'whitenoise.middleware.WhiteNoiseMiddleware',  # Add this
       # ... other middleware
   ]

3. Configure static files:
   STATIC_ROOT = BASE_DIR / 'staticfiles'
   STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage'

4. Benefits:
   - Serves static files efficiently
   - Compresses files automatically
   - Adds caching headers
   - No need for separate web server for static files
   - Perfect for small to medium sites

5. Collect static files:
   python manage.py collectstatic
"""

print(whitenoise_config)

## 12. Gunicorn Configuration

Gunicorn is a production WSGI server for Django.

In [None]:
# Create gunicorn configuration
gunicorn_config = """# Gunicorn configuration file
# Save as gunicorn_config.py

import multiprocessing

# Server socket
bind = "0.0.0.0:8000"
backlog = 2048

# Worker processes
workers = multiprocessing.cpu_count() * 2 + 1
worker_class = 'sync'
worker_connections = 1000
timeout = 30
keepalive = 2

# Logging
errorlog = '-'  # stdout
loglevel = 'info'
accesslog = '-'  # stdout
access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'

# Process naming
proc_name = 'myblog'

# Server mechanics
daemon = False  # Don't daemonize
pidfile = None
user = None
group = None
tmp_upload_dir = None
"""

with open(project_path / "gunicorn_config.py", "w") as f:
    f.write(gunicorn_config)

print("✓ Gunicorn config created!")
print("\nRun with:")
print("  gunicorn -c gunicorn_config.py myblog.wsgi:application")
print("\nOr simply:")
print("  gunicorn myblog.wsgi:application --bind 0.0.0.0:8000")

## 13. Environment-Specific Settings

Different .env files for different environments.

In [None]:
# Create .env.production template
env_production = """# Production Environment Variables

# Django
SECRET_KEY=CHANGE_THIS_TO_A_LONG_RANDOM_STRING
DEBUG=False
ALLOWED_HOSTS=yourdomain.com,www.yourdomain.com

# Database
DB_NAME=myblog_production
DB_USER=myblog_user
DB_PASSWORD=STRONG_DATABASE_PASSWORD
DB_HOST=localhost
DB_PORT=5432

# Email
EMAIL_HOST=smtp.gmail.com
EMAIL_PORT=587
EMAIL_USE_TLS=True
EMAIL_HOST_USER=your-email@gmail.com
EMAIL_HOST_PASSWORD=your-app-specific-password

# Security
SECURE_SSL_REDIRECT=True
SESSION_COOKIE_SECURE=True
CSRF_COOKIE_SECURE=True

# Optional: Third-party services
# SENTRY_DSN=your-sentry-dsn
# AWS_ACCESS_KEY_ID=your-aws-key
# AWS_SECRET_ACCESS_KEY=your-aws-secret
"""

with open(project_path / ".env.production", "w") as f:
    f.write(env_production)

# Create .env.staging template
env_staging = """# Staging Environment Variables

# Django
SECRET_KEY=CHANGE_THIS_TO_A_DIFFERENT_RANDOM_STRING
DEBUG=False
ALLOWED_HOSTS=staging.yourdomain.com

# Database
DB_NAME=myblog_staging
DB_USER=myblog_user
DB_PASSWORD=STAGING_DATABASE_PASSWORD
DB_HOST=localhost
DB_PORT=5432

# Email (use console in staging)
EMAIL_BACKEND=console

# Security (can be relaxed for staging)
SECURE_SSL_REDIRECT=False
SESSION_COOKIE_SECURE=False
CSRF_COOKIE_SECURE=False
"""

with open(project_path / ".env.staging", "w") as f:
    f.write(env_staging)

print("✓ Environment templates created!")
print("\nFiles:")
print("  - .env (development - already exists)")
print("  - .env.staging (staging environment)")
print("  - .env.production (production environment)")
print("\nUsage:")
print("  Copy appropriate .env file to .env before deployment")

## 14. Logging Configuration

In [None]:
# Logging configuration for production
logging_config = """
# Add to settings.py

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'formatters': {
        'verbose': {
            'format': '{levelname} {asctime} {module} {process:d} {thread:d} {message}',
            'style': '{',
        },
        'simple': {
            'format': '{levelname} {message}',
            'style': '{',
        },
    },
    'filters': {
        'require_debug_false': {
            '()': 'django.utils.log.RequireDebugFalse',
        },
    },
    'handlers': {
        'console': {
            'level': 'INFO',
            'class': 'logging.StreamHandler',
            'formatter': 'simple'
        },
        'file': {
            'level': 'ERROR',
            'class': 'logging.FileHandler',
            'filename': BASE_DIR / 'logs' / 'django.log',
            'formatter': 'verbose',
        },
        'mail_admins': {
            'level': 'ERROR',
            'class': 'django.utils.log.AdminEmailHandler',
            'filters': ['require_debug_false'],
        }
    },
    'root': {
        'handlers': ['console'],
        'level': 'INFO',
    },
    'loggers': {
        'django': {
            'handlers': ['console', 'file'],
            'level': 'INFO',
            'propagate': False,
        },
        'django.request': {
            'handlers': ['mail_admins', 'file'],
            'level': 'ERROR',
            'propagate': False,
        },
    },
}

# Create logs directory
LOGS_DIR = BASE_DIR / 'logs'
LOGS_DIR.mkdir(exist_ok=True)
"""

print("Logging configuration:")
print(logging_config)
print("\n✓ Logs errors to file")
print("✓ Emails admins on errors")
print("✓ Console output for INFO level")

## 15. Quick Deployment Scripts

In [None]:
# Create deployment script
deploy_script = """#!/bin/bash
# deploy.sh - Production deployment script

set -e  # Exit on error

echo "Starting deployment..."

# Pull latest code
echo "Pulling latest code..."
git pull origin main

# Activate virtual environment
echo "Activating virtual environment..."
source venv/bin/activate

# Install/update dependencies
echo "Installing dependencies..."
pip install -r requirements.txt

# Run migrations
echo "Running migrations..."
python manage.py migrate --no-input

# Collect static files
echo "Collecting static files..."
python manage.py collectstatic --no-input

# Restart Gunicorn
echo "Restarting Gunicorn..."
sudo systemctl restart gunicorn

# Restart Nginx (if needed)
echo "Reloading Nginx..."
sudo systemctl reload nginx

echo "Deployment complete!"
"""

# Save as shell script
deploy_file = project_path / "deploy.sh"
with open(deploy_file, "w") as f:
    f.write(deploy_script)

# Make executable
import os

os.chmod(deploy_file, 0o755)

print("✓ Deployment script created!")
print(f"\nSaved to: {deploy_file}")
print("\nMake it executable:")
print("  chmod +x deploy.sh")
print("\nRun deployment:")
print("  ./deploy.sh")

## 11. Hands-On Practice

Prepare your Django app for production!

### Exercise 1: Environment Variables Setup ⭐

**Task**: Secure sensitive data using environment variables.

1. **Install python-decouple**:
```bash
pip install python-decouple
```

2. **Create `.env` file** (NEVER commit this):
```
SECRET_KEY=your-secret-key-here
DEBUG=False
ALLOWED_HOSTS=yourdomain.com,www.yourdomain.com
DATABASE_URL=postgres://user:password@localhost/dbname
```

3. **Update settings.py**:
```python
from decouple import config, Csv

SECRET_KEY = config('SECRET_KEY')
DEBUG = config('DEBUG', default=False, cast=bool)
ALLOWED_HOSTS = config('ALLOWED_HOSTS', cast=Csv())

# For database
import dj_database_url
DATABASES = {
    'default': dj_database_url.config(
        default=config('DATABASE_URL')
    )
}
```

4. **Add `.env` to `.gitignore`**:
```
# .gitignore
.env
*.env
```

---

### Exercise 2: Run Django Security Checklist ⭐

**Task**: Check and fix security issues.

1. **Run the check**:
```bash
python manage.py check --deploy
```

2. **Fix common issues in settings.py**:
```python
# Security settings for production
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_BROWSER_XSS_FILTER = True
SECURE_CONTENT_TYPE_NOSNIFF = True
X_FRAME_OPTIONS = 'DENY'
SECURE_HSTS_SECONDS = 31536000  # 1 year
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
```

3. **Document all security warnings and how you fixed them**

---

### Exercise 3: Static Files for Production ⭐⭐

**Task**: Configure static files for deployment.

1. **Install WhiteNoise**:
```bash
pip install whitenoise
```

2. **Update settings.py**:
```python
MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'whitenoise.middleware.WhiteNoiseMiddleware',  # Add this
    # ... other middleware ...
]

# Static files settings
STATIC_URL = '/static/'
STATIC_ROOT = BASE_DIR / 'staticfiles'
STATICFILES_STORAGE = 'whitenoise.storage.CompressedManifestStaticFilesStorage'
```

3. **Collect static files**:
```bash
python manage.py collectstatic
```

4. **Verify** that staticfiles directory was created with all files

---

### Exercise 4: Create Production Settings File ⭐⭐

**Task**: Separate development and production settings.

**Structure**:
```
myproject/
├── settings/
│   ├── __init__.py
│   ├── base.py         # Common settings
│   ├── development.py  # Dev-specific
│   └── production.py   # Prod-specific
```

**base.py** (common settings):
```python
from pathlib import Path
from decouple import config

BASE_DIR = Path(__file__).resolve().parent.parent.parent

INSTALLED_APPS = [
    # ... your apps ...
]

MIDDLEWARE = [
    # ... your middleware ...
]

# ... other common settings ...
```

**development.py**:
```python
from .base import *

DEBUG = True
ALLOWED_HOSTS = ['localhost', '127.0.0.1']

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.sqlite3',
        'NAME': BASE_DIR / 'db.sqlite3',
    }
}
```

**production.py**:
```python
from .base import *
from decouple import config

DEBUG = False
ALLOWED_HOSTS = config('ALLOWED_HOSTS', cast=Csv())

# Use PostgreSQL in production
DATABASES = {
    'default': dj_database_url.config(default=config('DATABASE_URL'))
}

# Security settings
SECURE_SSL_REDIRECT = True
# ... other security settings ...
```

**Usage**:
```bash
# Development
python manage.py runserver --settings=myproject.settings.development

# Production
python manage.py runserver --settings=myproject.settings.production
```

---

### Exercise 5: Create Deployment Checklist ⭐⭐⭐

**Task**: Build a comprehensive deployment checklist.

Create a `DEPLOYMENT_CHECKLIST.md`:

```markdown
# Deployment Checklist

## Pre-Deployment

- [ ] All tests passing (`python manage.py test`)
- [ ] Security check passed (`python manage.py check --deploy`)
- [ ] DEBUG = False in production
- [ ] SECRET_KEY is secure and not in version control
- [ ] ALLOWED_HOSTS configured correctly
- [ ] Database backed up
- [ ] Static files collected (`python manage.py collectstatic`)
- [ ] Requirements.txt updated (`pip freeze > requirements.txt`)

## Security

- [ ] HTTPS enabled (SSL certificate installed)
- [ ] SECURE_SSL_REDIRECT = True
- [ ] SESSION_COOKIE_SECURE = True
- [ ] CSRF_COOKIE_SECURE = True
- [ ] SECURE_HSTS_SECONDS configured
- [ ] Environment variables configured
- [ ] Database credentials secured

## Database

- [ ] Migrations applied (`python manage.py migrate`)
- [ ] Database connection tested
- [ ] Backup strategy in place
- [ ] Database performance optimized (indexes)

## Static & Media Files

- [ ] Static files collected
- [ ] Media files directory configured
- [ ] File upload limits set
- [ ] WhiteNoise or CDN configured

## Monitoring

- [ ] Error logging configured (Sentry, etc.)
- [ ] Performance monitoring setup
- [ ] Uptime monitoring configured
- [ ] Log rotation configured

## Server Configuration

- [ ] Gunicorn installed and configured
- [ ] Nginx configured (if applicable)
- [ ] Firewall rules set
- [ ] Automatic restarts configured (systemd/supervisor)

## Post-Deployment

- [ ] All pages load correctly
- [ ] Forms submit successfully
- [ ] User registration/login works
- [ ] Admin panel accessible
- [ ] Email sending works
- [ ] Scheduled tasks running (if any)
- [ ] Performance tested

## Ongoing

- [ ] Regular backups scheduled
- [ ] Security updates applied
- [ ] Dependencies updated regularly
- [ ] Monitoring reviewed weekly
```

Go through each item for your project!

---

### Bonus: Deploy to Heroku ⭐⭐⭐

**Task**: Actually deploy your blog to Heroku.

1. **Install Heroku CLI** and create account

2. **Create `Procfile`**:
```
web: gunicorn myproject.wsgi
```

3. **Create `runtime.txt`**:
```
python-3.11.4
```

4. **Update requirements.txt**:
```bash
pip install gunicorn dj-database-url psycopg2-binary
pip freeze > requirements.txt
```

5. **Create Heroku app**:
```bash
heroku create your-blog-name
```

6. **Set environment variables**:
```bash
heroku config:set SECRET_KEY=your-secret-key
heroku config:set DEBUG=False
```

7. **Deploy**:
```bash
git push heroku main
heroku run python manage.py migrate
heroku run python manage.py createsuperuser
heroku open
```

---

### 💡 Tips for Success

- ✅ Test deployment process locally first
- ✅ Keep detailed deployment notes
- ✅ Use version control (git) for everything
- ✅ Monitor logs after deployment
- ✅ Have a rollback plan ready

**Complete these exercises and your app will be production-ready!**

---


## 16. Summary & Next Steps

### What We Accomplished

✅ Created environment variable configuration  
✅ Set up .env files for different environments  
✅ Updated .gitignore to protect secrets  
✅ Configured production-ready settings  
✅ Generated secure SECRET_KEY  
✅ Learned Django security checklist  
✅ Configured static file serving  
✅ Set up database migration strategy  
✅ Created deployment checklist  
✅ Configured Gunicorn WSGI server  
✅ Set up WhiteNoise for static files  
✅ Configured logging  
✅ Created deployment scripts  

### Key Concepts Learned

1. **Environment Variables**: Separating configuration from code
2. **Security**: DEBUG=False, ALLOWED_HOSTS, HTTPS enforcement
3. **Secret Management**: Using python-decouple for sensitive data
4. **Static Files**: collectstatic, WhiteNoise, production serving
5. **Database**: PostgreSQL for production, migration strategy
6. **WSGI Server**: Gunicorn for production deployment
7. **Logging**: Error tracking and monitoring
8. **Deployment**: Automated scripts, checklists

### Files Created

**Configuration:**
- `.env`: Development environment variables
- `.env.example`: Template for team members
- `.env.production`: Production environment template
- `.env.staging`: Staging environment template
- `.gitignore`: Protect sensitive files

**Deployment:**
- `DEPLOYMENT_CHECKLIST.md`: Complete deployment guide
- `gunicorn_config.py`: Gunicorn configuration
- `deploy.sh`: Automated deployment script

### Production Deployment Steps

1. **Prepare environment:**
   ```bash
   # Copy production .env
   cp .env.production .env
   
   # Update SECRET_KEY and credentials
   nano .env
   ```

2. **Install dependencies:**
   ```bash
   pip install -r requirements.txt
   ```

3. **Set up database:**
   ```bash
   python manage.py migrate
   python manage.py createsuperuser
   ```

4. **Collect static files:**
   ```bash
   python manage.py collectstatic
   ```

5. **Run security check:**
   ```bash
   python manage.py check --deploy
   ```

6. **Start Gunicorn:**
   ```bash
   gunicorn myblog.wsgi:application
   ```


### Quick Check

Before moving on, ensure you can answer:

1. Why should DEBUG be False in production?
2. What is python-decouple used for?
3. Name three items on the Django security checklist
4. What command checks for security issues?

### What's Next

In **Module 10**, we'll:
- Complete the final blog project
- Integrate all learned concepts
- Add advanced features
- Implement best practices throughout
- Test the complete application
- Review the entire learning journey

### Additional Resources

**Deployment Platforms:**
- Heroku (beginner-friendly)
- DigitalOcean (flexible)
- AWS (scalable)
- PythonAnywhere (simple)

**Documentation:**
- [Django Deployment Checklist](https://docs.djangoproject.com/en/stable/howto/deployment/checklist/)
- [Gunicorn Documentation](https://docs.gunicorn.org/)
- [WhiteNoise Documentation](http://whitenoise.evans.io/)

---

**Excellent work! Your Django app is now production-ready. Continue to Module 10!** 🚀