ABSOLUTE_URL_OVERRIDES¶

Default:{} (Empty dictionary)

A dictionary mapping"app_label.model_name" strings to functions that takea model object and return its URL. This is a way of inserting or overridingget_absolute_url() methods on a per-installation basis. Example:

ABSOLUTE_URL_OVERRIDES={"blogs.blog":lambdao:"/blogs/%s/"%o.slug,"news.story":lambdao:"/stories/%s/%s/"%(o.pub_year,o.slug),}

The model name used in this setting should be all lowercase, regardless of thecase of the actual model class name.

ADMINS¶

Default:[] (Empty list)

A list of all the people who get code error notifications. WhenDEBUG=False andAdminEmailHandleris configured inLOGGING (done by default), Django emails thesepeople the details of exceptions raised in the request/response cycle.

Each item in the list should be an email address string. Example:

ADMINS=["john@example.com",'"Ng, Mary" <mary@example.com>']

ALLOWED_HOSTS¶

Default:[] (Empty list)

A list of strings representing the host/domain names that this Django site canserve. This is a security measure to preventHTTP Host header attacks, which are possible even under manyseemingly-safe web server configurations.

Values in this list can be fully qualified names (e.g.'www.example.com'),in which case they will be matched against the request’sHost headerexactly (case-insensitive, not including port). A value beginning with a periodcan be used as a subdomain wildcard:'.example.com' will matchexample.com,www.example.com, and any other subdomain ofexample.com. A value of'*' will match anything; in this case you areresponsible to provide your own validation of theHost header (perhaps in amiddleware; if so this middleware must be listed first inMIDDLEWARE).

Django also allows thefully qualified domain name (FQDN) of any entries.Some browsers include a trailing dot in theHost header which Djangostrips when performing host validation.

If theHost header (orX-Forwarded-Host ifUSE_X_FORWARDED_HOST is enabled) does not match any value in thislist, thedjango.http.HttpRequest.get_host() method will raiseSuspiciousOperation.

WhenDEBUG isTrue andALLOWED_HOSTS is empty, the hostis validated against['.localhost','127.0.0.1','[::1]'].

ALLOWED_HOSTS is alsochecked when running tests.

This validation only applies viaget_host();if your code accesses theHost header directly fromrequest.META youare bypassing this security protection.

APPEND_SLASH¶

Default:True

When set toTrue, if the request URL does not match any of the patternsin the URLconf and it doesn’t end in a slash, an HTTP redirect is issued to thesame URL with a slash appended. Note that the redirect may cause any datasubmitted in a POST request to be lost.

TheAPPEND_SLASH setting is only used ifCommonMiddleware is installed(seeMiddleware). See alsoPREPEND_WWW.

CACHES¶

Default:

{"default":{"BACKEND":"django.core.cache.backends.locmem.LocMemCache",}}

A dictionary containing the settings for all caches to be used withDjango. It is a nested dictionary whose contents maps cache aliasesto a dictionary containing the options for an individual cache.

TheCACHES setting must configure adefault cache;any number of additional caches may also be specified. If youare using a cache backend other than the local memory cache, oryou need to define multiple caches, other options will be required.The following cache options are available.

defmake_key(key,key_prefix,version):return":".join([key_prefix,str(version),key])

CACHES={"default":{"BACKEND":"django.core.cache.backends.filebased.FileBasedCache","LOCATION":"/var/tmp/django_cache",}}

CACHE_MIDDLEWARE_ALIAS¶

Default:'default'

The cache connection to use for thecache middleware.

CACHE_MIDDLEWARE_KEY_PREFIX¶

Default:'' (Empty string)

A string which will be prefixed to the cache keys generated by thecachemiddleware. This prefix is combined with theKEY_PREFIX setting; it does not replace it.

SeeDjango’s cache framework.

CACHE_MIDDLEWARE_SECONDS¶

Default:600

The default integer number of seconds to cache a page for thecache middleware.

SeeDjango’s cache framework.

CSRF_COOKIE_AGE¶

Default:31449600 (approximately 1 year, in seconds)

The age of CSRF cookies, in seconds.

The reason for setting a long-lived expiration time is to avoid problems inthe case of a user closing a browser or bookmarking a page and then loadingthat page from a browser cache. Without persistent cookies, the form submissionwould fail in this case.

Some browsers (specifically Internet Explorer) can disallow the use ofpersistent cookies or can have the indexes to the cookie jar corrupted on disk,thereby causing CSRF protection checks to (sometimes intermittently) fail.Change this setting toNone to use session-based CSRF cookies, whichkeep the cookies in-memory instead of on persistent storage.

CSRF_COOKIE_DOMAIN¶

Default:None

The domain to be used when setting the CSRF cookie. This can be useful foreasily allowing cross-subdomain requests to be excluded from the normal crosssite request forgery protection. It should be set to a string such as".example.com" to allow a POST request from a form on one subdomain to beaccepted by a view served from another subdomain.

Please note that the presence of this setting does not imply that Django’s CSRFprotection is safe from cross-subdomain attacks by default - please see theCSRF limitations section.

CSRF_COOKIE_HTTPONLY¶

Default:False

Whether to useHttpOnly flag on the CSRF cookie. If this is set toTrue, client-side JavaScript will not be able to access the CSRF cookie.

Designating the CSRF cookie asHttpOnly doesn’t offer any practicalprotection because CSRF is only to protect against cross-domain attacks. If anattacker can read the cookie via JavaScript, they’re already on the same domainas far as the browser knows, so they can do anything they like anyway. (XSS isa much bigger hole than CSRF.)

Although the setting offers little practical benefit, it’s sometimes requiredby security auditors.

If you enable this and need to send the value of the CSRF token with an AJAXrequest, your JavaScript must pull the valuefrom a hidden CSRF tokenform input instead offrom the cookie.

SeeSESSION_COOKIE_HTTPONLY for details onHttpOnly.

CSRF_COOKIE_NAME¶

Default:'csrftoken'

The name of the cookie to use for the CSRF authentication token. This can bewhatever you want (as long as it’s different from the other cookie names inyour application). SeeCross Site Request Forgery protection.

CSRF_COOKIE_PATH¶

Default:'/'

The path set on the CSRF cookie. This should either match the URL path of yourDjango installation or be a parent of that path.

This is useful if you have multiple Django instances running under the samehostname. They can use different cookie paths, and each instance will only seeits own CSRF cookie.

CSRF_COOKIE_SAMESITE¶

Default:'Lax'

The value of theSameSite flag on the CSRF cookie. This flag prevents thecookie from being sent in cross-site requests.

SeeSESSION_COOKIE_SAMESITE for details aboutSameSite.

CSRF_COOKIE_SECURE¶

Default:False

Whether to use a secure cookie for the CSRF cookie. If this is set toTrue,the cookie will be marked as “secure”, which means browsers may ensure that thecookie is only sent with an HTTPS connection.

CSRF_USE_SESSIONS¶

Default:False

Whether to store the CSRF token in the user’s session instead of in a cookie.It requires the use ofdjango.contrib.sessions.

Storing the CSRF token in a cookie (Django’s default) is safe, but storing itin the session is common practice in other web frameworks and thereforesometimes demanded by security auditors.

Since thedefault error views require the CSRF token,SessionMiddleware must appear inMIDDLEWARE before any middleware that may raise an exception totrigger an error view (such asPermissionDenied)if you’re usingCSRF_USE_SESSIONS. SeeMiddleware ordering.

CSRF_FAILURE_VIEW¶

Default:'django.views.csrf.csrf_failure'

A dotted path to the view function to be used when an incoming request isrejected by theCSRF protection. The function should havethis signature:

defcsrf_failure(request,reason=""):...

wherereason is a short message (intended for developers or logging, notfor end users) indicating the reason the request was rejected. It should returnanHttpResponseForbidden.

django.views.csrf.csrf_failure() accepts an additionaltemplate_nameparameter that defaults to'403_csrf.html'. If a template with that nameexists, it will be used to render the page.

CSRF_HEADER_NAME¶

Default:'HTTP_X_CSRFTOKEN'

The name of the request header used for CSRF authentication.

As with other HTTP headers inrequest.META, the header name received fromthe server is normalized by converting all characters to uppercase, replacingany hyphens with underscores, and adding an'HTTP_' prefix to the name.For example, if your client sends a'X-XSRF-TOKEN' header, the settingshould be'HTTP_X_XSRF_TOKEN'.

CSRF_TRUSTED_ORIGINS¶

Default:[] (Empty list)

A list of trusted origins for unsafe requests (e.g.POST).

For requests that include theOrigin header, Django’s CSRF protectionrequires that header match the origin present in theHost header.

For a secure (determined byis_secure()) unsaferequest that doesn’t include theOrigin header, the request must include aReferer header that matches the origin in theHost header.

These checks prevent, for example, aPOST request fromsubdomain.example.com from succeeding againstapi.example.com. If youneed cross-origin unsafe requests, continuing the example, add'https://subdomain.example.com' to this list (and/orhttp://... ifrequests originate from an insecure page).

The setting also supports subdomains, so you could add'https://*.example.com', for example, to allow access from all subdomainsofexample.com.

DATABASES¶

Default:{} (Empty dictionary)

A dictionary containing the settings for all databases to be used withDjango. It is a nested dictionary whose contents map a database aliasto a dictionary containing the options for an individual database.

TheDATABASES setting must configure adefault database;any number of additional databases may also be specified.

The simplest possible settings file is for a single-database setup usingSQLite. This can be configured using the following:

DATABASES={"default":{"ENGINE":"django.db.backends.sqlite3","NAME":"mydatabase",}}

When connecting to other database backends, such as MariaDB, MySQL, Oracle, orPostgreSQL, additional connection parameters will be required. SeetheENGINE setting below on how to specifyother database types. This example is for PostgreSQL:

DATABASES={"default":{"ENGINE":"django.db.backends.postgresql","NAME":"mydatabase","USER":"mydatabaseuser","PASSWORD":"mypassword","HOST":"127.0.0.1","PORT":"5432",}}

The following inner options that may be required for more complexconfigurations are available:

"HOST":"/var/run/mysql"

DATABASES={"default":{"ENGINE":"django.db.backends.postgresql","USER":"mydatabaseuser","NAME":"mydatabase","TEST":{"NAME":"mytestdatabase",},},}

DATA_UPLOAD_MAX_MEMORY_SIZE¶

Default:2621440 (i.e. 2.5 MB).

The maximum size in bytes that a request body may be before aSuspiciousOperation (RequestDataTooBig) israised. The check is done when accessingrequest.body orrequest.POSTand is calculated against the total request size excluding any file uploaddata. You can set this toNone to disable the check. Applications that areexpected to receive unusually large form posts should tune this setting.

The amount of request data is correlated to the amount of memory needed toprocess the request and populate the GET and POST dictionaries. Large requestscould be used as a denial-of-service attack vector if left unchecked. Since webservers don’t typically perform deep request inspection, it’s not possible toperform a similar check at that level.

See alsoFILE_UPLOAD_MAX_MEMORY_SIZE.

DATA_UPLOAD_MAX_NUMBER_FIELDS¶

Default:1000

The maximum number of parameters that may be received via GET or POST before aSuspiciousOperation (TooManyFields) israised. You can set this toNone to disable the check. Applications thatare expected to receive an unusually large number of form fields should tunethis setting.

The number of request parameters is correlated to the amount of time needed toprocess the request and populate the GET and POST dictionaries. Large requestscould be used as a denial-of-service attack vector if left unchecked. Since webservers don’t typically perform deep request inspection, it’s not possible toperform a similar check at that level.

DATA_UPLOAD_MAX_NUMBER_FILES¶

Default:100

The maximum number of files that may be received via POST in amultipart/form-data encoded request before aSuspiciousOperation (TooManyFiles) israised. You can set this toNone to disable the check. Applications thatare expected to receive an unusually large number of file fields should tunethis setting.

The number of accepted files is correlated to the amount of time and memoryneeded to process the request. Large requests could be used as adenial-of-service attack vector if left unchecked. Since web servers don’ttypically perform deep request inspection, it’s not possible to perform asimilar check at that level.

DATABASE_ROUTERS¶

Default:[] (Empty list)

The list of routers that will be used to determine which databaseto use when performing a database query.

See the documentation onautomatic database routing in multidatabase configurations.

DATE_FORMAT¶

Default:'Nj,Y' (e.g.Feb.4,2003)

The default formatting to use for displaying date fields in any part of thesystem. Note that the locale-dictated format has higher precedence and will beapplied instead. Seealloweddateformatstrings.

See alsoDATETIME_FORMAT,TIME_FORMAT andSHORT_DATE_FORMAT.

DATE_INPUT_FORMATS¶

Default:

["%Y-%m-%d",# '2006-10-25'"%m/%d/%Y",# '10/25/2006'"%m/%d/%y",# '10/25/06'"%b%d %Y",# 'Oct 25 2006'"%b%d, %Y",# 'Oct 25, 2006'"%d %b %Y",# '25 Oct 2006'"%d %b, %Y",# '25 Oct, 2006'"%B%d %Y",# 'October 25 2006'"%B%d, %Y",# 'October 25, 2006'"%d %B %Y",# '25 October 2006'"%d %B, %Y",# '25 October, 2006']

A list of formats that will be accepted when inputting data on a date field.Formats will be tried in order, using the first valid one. Note that theseformat strings use Python’sdatetime module syntax, not the format strings from thedatetemplate filter.

The locale-dictated format has higher precedence and will be applied instead.

See alsoDATETIME_INPUT_FORMATS andTIME_INPUT_FORMATS.

DATETIME_FORMAT¶

Default:'Nj,Y,P' (e.g.Feb.4,2003,4p.m.)

The default formatting to use for displaying datetime fields in any part of thesystem. Note that the locale-dictated format has higher precedence and will beapplied instead. Seealloweddateformatstrings.

See alsoDATE_FORMAT,TIME_FORMAT andSHORT_DATETIME_FORMAT.

DATETIME_INPUT_FORMATS¶

Default:

["%Y-%m-%d %H:%M:%S",# '2006-10-25 14:30:59'"%Y-%m-%d %H:%M:%S.%f",# '2006-10-25 14:30:59.000200'"%Y-%m-%d %H:%M",# '2006-10-25 14:30'"%m/%d/%Y %H:%M:%S",# '10/25/2006 14:30:59'"%m/%d/%Y %H:%M:%S.%f",# '10/25/2006 14:30:59.000200'"%m/%d/%Y %H:%M",# '10/25/2006 14:30'"%m/%d/%y %H:%M:%S",# '10/25/06 14:30:59'"%m/%d/%y %H:%M:%S.%f",# '10/25/06 14:30:59.000200'"%m/%d/%y %H:%M",# '10/25/06 14:30']

A list of formats that will be accepted when inputting data on a datetimefield. Formats will be tried in order, using the first valid one. Note thatthese format strings use Python’sdatetime module syntax, not the format strings from thedatetemplate filter. Date-only formats are not included as datetime fields willautomatically tryDATE_INPUT_FORMATS in last resort.

The locale-dictated format has higher precedence and will be applied instead.

See alsoDATE_INPUT_FORMATS andTIME_INPUT_FORMATS.

DEBUG¶

Default:False

A boolean that turns on/off debug mode.

Never deploy a site into production withDEBUG turned on.

One of the main features of debug mode is the display of detailed error pages.If your app raises an exception whenDEBUG isTrue, Django willdisplay a detailed traceback, including a lot of metadata about yourenvironment, such as all the currently defined Django settings (fromsettings.py).

As a security measure, Django willnot include settings that might besensitive, such asSECRET_KEY. Specifically, it will exclude anysetting whose name includes any of the following:

• 'API'

• 'KEY'

• 'PASS'

• 'SECRET'

• 'SIGNATURE'

• 'TOKEN'

Note that these arepartial matches.'PASS' will also match PASSWORD,just as'TOKEN' will also match TOKENIZED and so on.

Still, note that there are always going to be sections of your debug outputthat are inappropriate for public consumption. File paths, configurationoptions and the like all give attackers extra information about your server.

It is also important to remember that when running withDEBUGturned on, Django will remember every SQL query it executes. This is usefulwhen you’re debugging, but it’ll rapidly consume memory on a production server.

Finally, ifDEBUG isFalse, you also need to properly settheALLOWED_HOSTS setting. Failing to do so will result in allrequests being returned as “Bad Request (400)”.

DEBUG_PROPAGATE_EXCEPTIONS¶

Default:False

If set toTrue, Django’s exception handling of view functions(handler500, or the debug view ifDEBUGisTrue) and logging of 500 responses (django.request) isskipped and exceptions propagate upward.

This can be useful for some test setups. It shouldn’t be used on a live siteunless you want your web server (instead of Django) to generate “InternalServer Error” responses. In that case, make sure your server doesn’t show thestack trace or other sensitive information in the response.

DECIMAL_SEPARATOR¶

Default:'.' (Dot)

Default decimal separator used when formatting decimal numbers.

Note that the locale-dictated format has higher precedence and will be appliedinstead.

See alsoNUMBER_GROUPING,THOUSAND_SEPARATOR andUSE_THOUSAND_SEPARATOR.

DEFAULT_AUTO_FIELD¶

Default:'django.db.models.BigAutoField'

Default primary key field type to use for models that don’t have a field withprimary_key=True.

DEFAULT_CHARSET¶

Default:'utf-8'

Default charset to use for allHttpResponse objects, if a MIME type isn’tmanually specified. Used when constructing theContent-Type header.

DEFAULT_EXCEPTION_REPORTER¶

Default:'django.views.debug.ExceptionReporter'

Default exception reporter class to be used if none has been assigned to theHttpRequest instance yet. SeeCustom error reports.

DEFAULT_EXCEPTION_REPORTER_FILTER¶

Default:'django.views.debug.SafeExceptionReporterFilter'

Default exception reporter filter class to be used if none has been assigned totheHttpRequest instance yet.SeeFiltering error reports.

DEFAULT_FROM_EMAIL¶

Default:'webmaster@localhost'

Default email address for automated correspondence from the site manager(s).This address is used in theFrom: header of outgoing emails and can takeany format valid in the chosen email sending protocol.

This doesn’t affect error messages sent toADMINS andMANAGERS. SeeSERVER_EMAIL for that.

DEFAULT_INDEX_TABLESPACE¶

Default:'' (Empty string)

Default tablespace to use for indexes on fields that don’t specifyone, if the backend supports it (seeTablespaces).

DEFAULT_TABLESPACE¶

Default:'' (Empty string)

Default tablespace to use for models that don’t specify one, if thebackend supports it (seeTablespaces).

DISALLOWED_USER_AGENTS¶

Default:[] (Empty list)

List of compiled regular expression objects representing User-Agent stringsthat are not allowed to visit any page, systemwide. Use this for bots/crawlers.This is only used ifCommonMiddleware is installed (seeMiddleware).

EMAIL_BACKEND¶

Default:'django.core.mail.backends.smtp.EmailBackend'

The backend to use for sending emails. For the list of available backends seeEmail backends.

EMAIL_FILE_PATH¶

Default: Not defined

The directory used by thefile email backendto store output files.

EMAIL_HOST¶

Default:'localhost'

The host to use for sending email.

See alsoEMAIL_PORT.

EMAIL_HOST_PASSWORD¶

Default:'' (Empty string)

Password to use for the SMTP server defined inEMAIL_HOST. Thissetting is used in conjunction withEMAIL_HOST_USER whenauthenticating to the SMTP server. If either of these settings is empty,Django won’t attempt authentication.

See alsoEMAIL_HOST_USER.

EMAIL_HOST_USER¶

Default:'' (Empty string)

Username to use for the SMTP server defined inEMAIL_HOST.If empty, Django won’t attempt authentication.

See alsoEMAIL_HOST_PASSWORD.

EMAIL_PORT¶

Default:25

Port to use for the SMTP server defined inEMAIL_HOST.

EMAIL_SUBJECT_PREFIX¶

Default:'[Django]'

Subject-line prefix for email messages sent withdjango.core.mail.mail_admins ordjango.core.mail.mail_managers. You’llprobably want to include the trailing space.

EMAIL_USE_LOCALTIME¶

Default:False

Whether to send the SMTPDate header of email messages in the local timezone (True) or in UTC (False).

EMAIL_USE_TLS¶

Default:False

Whether to use a TLS (secure) connection when talking to the SMTP server.This is used for explicit TLS connections, generally on port 587. If you areexperiencing hanging connections, see the implicit TLS settingEMAIL_USE_SSL.

EMAIL_USE_SSL¶

Default:False

Whether to use an implicit TLS (secure) connection when talking to the SMTPserver. In most email documentation this type of TLS connection is referredto as SSL. It is generally used on port 465. If you are experiencing problems,see the explicit TLS settingEMAIL_USE_TLS.

Note thatEMAIL_USE_TLS/EMAIL_USE_SSL are mutuallyexclusive, so only set one of those settings toTrue.

EMAIL_SSL_CERTFILE¶

Default:None

IfEMAIL_USE_SSL orEMAIL_USE_TLS isTrue and thesecure connection to the SMTP server requires client authentication, use thissetting to specify the path to a PEM-formatted certificate chain file, whichmust be used in conjunction withEMAIL_SSL_KEYFILE.

EMAIL_SSL_CERTFILE should not be used with a self-signed server certificateor a certificate from a private certificate authority (CA). In such cases, theserver’s certificate (or the root certificate of the private CA) should beinstalled into the system’s CA bundle. This can be done by followingplatform-specific instructions for installing a root CA certificate,or by using OpenSSL’sSSL_CERT_FILE orSSL_CERT_DIR environmentvariables to specify a custom certificate bundle (if modifying the systembundle is not possible or desired).

For more complex scenarios, the SMTPEmailBackend can be subclassed to addroot certificates to itsssl_context usingssl.SSLContext.load_verify_locations().

EMAIL_SSL_KEYFILE¶

Default:None

IfEMAIL_USE_SSL orEMAIL_USE_TLS isTrue, you canoptionally specify the path to a PEM-formatted private key file for clientauthentication of the SSL connection along withEMAIL_SSL_CERTFILE.

Note that settingEMAIL_SSL_CERTFILE andEMAIL_SSL_KEYFILE doesn’t result in any certificate checking.They’re passed to the underlying SSL connection. Please refer to thedocumentation of Python’sssl.SSLContext.wrap_socket() functionfor details on how the certificate chain file and private key file are handled.

EMAIL_TIMEOUT¶

Default:None

Specifies a timeout in seconds for blocking operations like the connectionattempt.

FILE_UPLOAD_HANDLERS¶

Default:

["django.core.files.uploadhandler.MemoryFileUploadHandler","django.core.files.uploadhandler.TemporaryFileUploadHandler",]

A list of handlers to use for uploading. Changing this setting allows completecustomization – even replacement – of Django’s upload process.

SeeManaging files for details.

FILE_UPLOAD_MAX_MEMORY_SIZE¶

Default:2621440 (i.e. 2.5 MB).

The maximum size (in bytes) that an upload will be before it gets streamed tothe file system. SeeManaging files for details.

See alsoDATA_UPLOAD_MAX_MEMORY_SIZE.

FILE_UPLOAD_DIRECTORY_PERMISSIONS¶

Default:None

The numeric mode to apply to directories created in the process of uploadingfiles.

This setting also determines the default permissions for collected staticdirectories when using thecollectstatic management command. Seecollectstatic for details on overriding it.

This value mirrors the functionality and caveats of theFILE_UPLOAD_PERMISSIONS setting.

FILE_UPLOAD_PERMISSIONS¶

Default:0o644

The numeric mode (i.e.0o644) to set newly uploaded files to. Formore information about what these modes mean, see the documentation foros.chmod().

IfNone, you’ll get operating-system dependent behavior. On most platforms,temporary files will have a mode of0o600, and files saved from memory willbe saved using the system’s standard umask.

For security reasons, these permissions aren’t applied to the temporary filesthat are stored inFILE_UPLOAD_TEMP_DIR.

This setting also determines the default permissions for collected static fileswhen using thecollectstatic management command. Seecollectstatic for details on overriding it.

FILE_UPLOAD_TEMP_DIR¶

Default:None

The directory to store data to (typically files larger thanFILE_UPLOAD_MAX_MEMORY_SIZE) temporarily while uploading files.IfNone, Django will use the standard temporary directory for the operatingsystem. For example, this will default to/tmp on *nix-style operatingsystems.

SeeManaging files for details.

FIRST_DAY_OF_WEEK¶

Default:0 (Sunday)

A number representing the first day of the week. This is especially usefulwhen displaying a calendar. This value is only used when not usingformat internationalization, or when a format cannot be found for thecurrent locale.

The value must be an integer from 0 to 6, where 0 means Sunday, 1 meansMonday and so on.

FIXTURE_DIRS¶

Default:[] (Empty list)

List of directories searched forfixture files,in addition to thefixtures directory of each application, in search order.

Note that these paths should use Unix-style forward slashes, even on Windows.

SeeProvide data with fixtures andFixture loading.

FORCE_SCRIPT_NAME¶

Default:None

If notNone, this will be used as the value of theSCRIPT_NAMEenvironment variable in any HTTP request. This setting can be used to overridethe server-provided value ofSCRIPT_NAME, which may be a rewritten versionof the preferred value or not supplied at all. It is also used bydjango.setup() to set the URL resolver script prefix outside of therequest/response cycle (e.g. in management commands and standalone scripts) togenerate correct URLs whenFORCE_SCRIPT_NAME is provided.

FORM_RENDERER¶

Default:'django.forms.renderers.DjangoTemplates'

The class that renders forms and form widgets. It must implementthe low-level render API. Included formrenderers are:

• 'django.forms.renderers.DjangoTemplates'

• 'django.forms.renderers.Jinja2'

• 'django.forms.renderers.TemplatesSetting'

FORMAT_MODULE_PATH¶

Default:None

A full Python path to a Python package that contains custom format definitionsfor project locales. If notNone, Django will check for aformats.pyfile, under the directory named as the current locale, and will use theformats defined in this file.

The name of the directory containing the format definitions is expected to benamed usinglocale name notation, for examplede,pt_BR,en_US, etc.

For example, ifFORMAT_MODULE_PATH is set tomysite.formats,and current language isen (English), Django will expect a directory treelike:

mysite/    formats/        __init__.py        en/            __init__.py            formats.py

You can also set this setting to a list of Python paths, for example:

FORMAT_MODULE_PATH=["mysite.formats","some_app.formats",]

When Django searches for a certain format, it will go through all given Pythonpaths until it finds a module that actually defines the given format. Thismeans that formats defined in packages farther up in the list will takeprecedence over the same formats in packages farther down.

Available formats are:

• DATE_FORMAT

• DATE_INPUT_FORMATS

• DATETIME_FORMAT,

• DATETIME_INPUT_FORMATS

• DECIMAL_SEPARATOR

• FIRST_DAY_OF_WEEK

• MONTH_DAY_FORMAT

• NUMBER_GROUPING

• SHORT_DATE_FORMAT

• SHORT_DATETIME_FORMAT

• THOUSAND_SEPARATOR

• TIME_FORMAT

• TIME_INPUT_FORMATS

• YEAR_MONTH_FORMAT

IGNORABLE_404_URLS¶

Default:[] (Empty list)

List of compiled regular expression objects describing URLs that should beignored when reporting HTTP 404 errors via email (seeHow to manage error reporting). Regular expressions are matched againstrequest’s full paths, as returned byget_full_path() (including any query strings).Use this if your site does not provide a commonly requested file such asfavicon.ico orrobots.txt.

This is only used ifBrokenLinkEmailsMiddleware is enabled (seeMiddleware).

INSTALLED_APPS¶

Default:[] (Empty list)

A list of strings designating all applications that are enabled in thisDjango installation. Each string should be a dotted Python path to:

• an application configuration class (preferred), or

• a package containing an application.

Learn more about application configurations.

When several applications provide different versions of the same resource(template, static file, management command, translation), the applicationlisted first inINSTALLED_APPS has precedence.

INTERNAL_IPS¶

Default:[] (Empty list)

A list of IP addresses, as strings, that:

• Allow thedebug() context processorto add some variables to the template context.

• Can use theadmindocs bookmarklets even ifnot logged in as a staff user.

• Are marked as “internal” (as opposed to “EXTERNAL”) inAdminEmailHandler emails.

LANGUAGE_CODE¶

Default:'en-us'

A string representing the language code for this installation. This should bein standardlanguage ID format. For example, U.S.English is"en-us". See also thelist of language identifiers andInternationalization and localization.

It serves three purposes:

• If the locale middleware isn’t in use, it decides which translation is servedto all users.

• If the locale middleware is active, it provides a fallback language in casethe user’s preferred language can’t be determined or is not supported by thewebsite. It also provides the fallback translation when a translation for agiven literal doesn’t exist for the user’s preferred language.

• If localization is explicitly disabled via theunlocalize filteror the{%localizeoff%} tag, it provides fallbacklocalization formats which will be applied instead. Seecontrolling localization in templates fordetails.

SeeHow Django discovers language preference for more details.

LANGUAGE_COOKIE_AGE¶

Default:None (expires at browser close)

The age of the language cookie, in seconds.

LANGUAGE_COOKIE_DOMAIN¶

Default:None

The domain to use for the language cookie. Set this to a string such as"example.com" for cross-domain cookies, or useNone for a standarddomain cookie.

Be cautious when updating this setting on a production site. If you updatethis setting to enable cross-domain cookies on a site that previously usedstandard domain cookies, existing user cookies that have the old domainwill not be updated. This will result in site users being unable to switchthe language as long as these cookies persist. The only safe and reliableoption to perform the switch is to change the language cookie namepermanently (via theLANGUAGE_COOKIE_NAME setting) and to adda middleware that copies the value from the old cookie to a new one and thendeletes the old one.

LANGUAGE_COOKIE_HTTPONLY¶

Default:False

Whether to useHttpOnly flag on the language cookie. If this is set toTrue, client-side JavaScript will not be able to access the languagecookie.

SeeSESSION_COOKIE_HTTPONLY for details onHttpOnly.

LANGUAGE_COOKIE_NAME¶

Default:'django_language'

The name of the cookie to use for the language cookie. This can be whateveryou want (as long as it’s different from the other cookie names in yourapplication). SeeInternationalization and localization.

LANGUAGE_COOKIE_PATH¶

Default:'/'

The path set on the language cookie. This should either match the URL path ofyour Django installation or be a parent of that path.

This is useful if you have multiple Django instances running under the samehostname. They can use different cookie paths and each instance will only seeits own language cookie.

Be cautious when updating this setting on a production site. If you update thissetting to use a deeper path than it previously used, existing user cookiesthat have the old path will not be updated. This will result in site usersbeing unable to switch the language as long as these cookies persist. The onlysafe and reliable option to perform the switch is to change the language cookiename permanently (via theLANGUAGE_COOKIE_NAME setting), and to adda middleware that copies the value from the old cookie to a new one and thendeletes the one.

LANGUAGE_COOKIE_SAMESITE¶

Default:None

The value of theSameSite flag on the language cookie. This flag preventsthe cookie from being sent in cross-site requests.

SeeSESSION_COOKIE_SAMESITE for details aboutSameSite.

LANGUAGE_COOKIE_SECURE¶

Default:False

Whether to use a secure cookie for the language cookie. If this is set toTrue, the cookie will be marked as “secure”, which means browsers mayensure that the cookie is only sent under an HTTPS connection.

LANGUAGES¶

Default: A list of all available languages. This list is continually growingand including a copy here would inevitably become rapidly out of date. You cansee the current list of translated languages by looking indjango/conf/global_settings.py.

The list is a list of 2-tuples in the format(language code,languagename) – for example,('ja','Japanese').This specifies which languages are available for language selection. SeeInternationalization and localization.

Generally, the default value should suffice. Only set this setting if you wantto restrict language selection to a subset of the Django-provided languages.

If you define a customLANGUAGES setting, you can mark thelanguage names as translation strings using thegettext_lazy() function.

Here’s a sample settings file:

fromdjango.utils.translationimportgettext_lazyas_LANGUAGES=[("de",_("German")),("en",_("English")),]

LANGUAGES_BIDI¶

Default: A list of all language codes that are written right-to-left. You cansee the current list of these languages by looking indjango/conf/global_settings.py.

The list containslanguage codes for languages that arewritten right-to-left.

Generally, the default value should suffice. Only set this setting if you wantto restrict language selection to a subset of the Django-provided languages.If you define a customLANGUAGES setting, the list of bidirectionallanguages may contain language codes which are not enabled on a given site.

LOCALE_PATHS¶

Default:[] (Empty list)

A list of directories where Django looks for translation files.SeeHow Django discovers translations.

Example:

LOCALE_PATHS=["/home/www/project/common_files/locale","/var/local/translations/locale",]

Django will look within each of these paths for the<locale_code>/LC_MESSAGES directories containing the actual translationfiles.

LOGGING¶

Default: A logging configuration dictionary.

A data structure containing configuration information. When not-empty, thecontents of this data structure will be passed as the argument to theconfiguration method described inLOGGING_CONFIG.

Among other things, the default logging configuration passes HTTP 500 servererrors to an email log handler whenDEBUG isFalse. See alsoConfiguring logging.

You can see the default logging configuration by looking indjango/utils/log.py.

LOGGING_CONFIG¶

Default:'logging.config.dictConfig'

A path to a callable that will be used to configure logging in theDjango project. Points at an instance of Python’sdictConfig configuration method by default.

If you setLOGGING_CONFIG toNone, the loggingconfiguration process will be skipped.

MANAGERS¶

Default:[] (Empty list)

A list in the same format asADMINS that specifies who should getbroken link notifications whenBrokenLinkEmailsMiddleware is enabled.

MEDIA_ROOT¶

Default:'' (Empty string)

Absolute filesystem path to the directory that will holduser-uploadedfiles.

Example:"/var/www/example.com/media/"

See alsoMEDIA_URL.

MEDIA_URL¶

Default:'' (Empty string)

URL that handles the media served fromMEDIA_ROOT, usedformanaging stored files. It must end in a slash if setto a non-empty value. You will need toconfigure these files to be served in both development and productionenvironments.

If you want to use{{MEDIA_URL}} in your templates, add'django.template.context_processors.media' in the'context_processors'option ofTEMPLATES.

Example:"https://media.example.com/"

MIDDLEWARE¶

Default:None

A list of middleware to use. SeeMiddleware.

MIGRATION_MODULES¶

Default:{} (Empty dictionary)

A dictionary specifying the package where migration modules can be found on aper-app basis. The default value of this setting is an empty dictionary, butthe default package name for migration modules ismigrations.

Example:

{"blog":"blog.db_migrations"}

In this case, migrations pertaining to theblog app will be contained intheblog.db_migrations package.

If you provide theapp_label argument,makemigrations willautomatically create the package if it doesn’t already exist.

When you supplyNone as a value for an app, Django will consider the app asan app without migrations regardless of an existingmigrations submodule.This can be used, for example, in a test settings file to skip migrations whiletesting (tables will still be created for the apps’ models). To disablemigrations for all apps during tests, you can set theMIGRATE toFalse instead. IfMIGRATION_MODULES is used in your general project settings, remember to usethemigrate--run-syncdb option if you want to create tables for theapp.

MONTH_DAY_FORMAT¶

Default:'Fj'

The default formatting to use for date fields on Django admin change-listpages – and, possibly, by other parts of the system – in cases when only themonth and day are displayed.

For example, when a Django admin change-list page is being filtered by a datedrilldown, the header for a given day displays the day and month. Differentlocales have different formats. For example, U.S. English would say“January 1,” whereas Spanish might say “1 Enero.”

Note that the corresponding locale-dictated format has higher precedence andwill be applied instead.

Seealloweddateformatstrings. See alsoDATE_FORMAT,DATETIME_FORMAT,TIME_FORMAT andYEAR_MONTH_FORMAT.

NUMBER_GROUPING¶

Default:0

Number of digits grouped together on the integer part of a number.

Common use is to display a thousand separator. If this setting is0, thenno grouping will be applied to the number. If this setting is greater than0, thenTHOUSAND_SEPARATOR will be used as the separator betweenthose groups.

Some locales use non-uniform digit grouping, e.g.10,00,00,000 inen_IN. For this case, you can provide a sequence with the number of digitgroup sizes to be applied. The first number defines the size of the grouppreceding the decimal delimiter, and each number that follows defines the sizeof preceding groups. If the sequence is terminated with-1, no furthergrouping is performed. If the sequence terminates with a0, the last groupsize is used for the remainder of the number.

Example tuple foren_IN:

NUMBER_GROUPING=(3,2,0)

Note that the locale-dictated format has higher precedence and will be appliedinstead.

See alsoDECIMAL_SEPARATOR,THOUSAND_SEPARATOR andUSE_THOUSAND_SEPARATOR.

PREPEND_WWW¶

Default:False

Whether to prepend the “www.” subdomain to URLs that don’t have it. This isonly used ifCommonMiddleware is installed(seeMiddleware). See alsoAPPEND_SLASH.

ROOT_URLCONF¶

Default: Not defined

A string representing the full Python import path to your root URLconf, forexample"mydjangoapps.urls". Can be overridden on a per-request basis bysetting the attributeurlconf on the incomingHttpRequestobject. SeeHow Django processes a request for details.

SECRET_KEY¶

Default:'' (Empty string)

A secret key for a particular Django installation. This is used to providecryptographic signing, and should be set to a unique,unpredictable value.

django-adminstartproject automatically adds arandomly-generatedSECRET_KEY to each new project.

Uses of the key shouldn’t assume that it’s text or bytes. Every use should gothroughforce_str() orforce_bytes() to convert it to the desired type.

Django will refuse to start ifSECRET_KEY is not set.

The secret key is used for:

• Allsessions if you are usingany other session backend thandjango.contrib.sessions.backends.cache,or are using the defaultget_session_auth_hash().

• Allmessages if you are usingCookieStorage orFallbackStorage.

• AllPasswordResetView tokens.

• Any usage ofcryptographic signing, unless adifferent key is provided.

When a secret key is no longer set asSECRET_KEY or contained withinSECRET_KEY_FALLBACKS all of the above will be invalidated. Whenrotating your secret key, you should move the old key toSECRET_KEY_FALLBACKS temporarily. Secret keys are not used forpasswords of users and key rotation will not affect them.

SECRET_KEY_FALLBACKS¶

Default:[]

A list of fallback secret keys for a particular Django installation. These areused to allow rotation of theSECRET_KEY.

In order to rotate your secret keys, set a newSECRET_KEY and move theprevious value to the beginning ofSECRET_KEY_FALLBACKS. Then remove theold values from the end of theSECRET_KEY_FALLBACKS when you are ready toexpire the sessions, password reset tokens, and so on, that make use of them.

Uses of the secret key values shouldn’t assume that they are text or bytes.Every use should go throughforce_str() orforce_bytes() to convert it to the desired type.

SECURE_CONTENT_TYPE_NOSNIFF¶

Default:True

IfTrue, theSecurityMiddlewaresets theX-Content-Type-Options: nosniff header on all responses that do notalready have it.

SECURE_CROSS_ORIGIN_OPENER_POLICY¶

Default:'same-origin'

Unless set toNone, theSecurityMiddleware sets theCross-Origin Opener Policy header on all responses that do not alreadyhave it to the value provided.

SECURE_CSP¶

Default:{}

This setting defines the directives used by theContentSecurityPolicyMiddleware, whichgenerates and adds aContent-Security-Policy (CSP) headerto all responses that do not already include one.

TheContent-Security-Policy header instructs browsers to restrict whichresources a page is allowed to load. A properly configured CSP can blockcontent that violates defined rules, helping prevent cross-site scripting (XSS)and other content injection attacks by explicitly declaring trusted sources forcontent such as scripts, styles, images, fonts, and more.

The setting must be a mapping (typically a dictionary) of directive names totheir values. Each key should be a valid CSP directive such asdefault-srcorscript-src. The corresponding value can be a list, tuple, or set ofsource expressions or URLs to allow for that directive. If a set is used, itwill be automatically sorted to ensure consistent output in the generatedheaders.

This example illustrates the expected structure, using the constants defined inCSP constants:

fromdjango.utils.cspimportCSPSECURE_CSP={"default-src":[CSP.SELF],"img-src":["data:",CSP.SELF,"https://images.example.com"],"frame-src":[CSP.NONE],}

SECURE_CSP_REPORT_ONLY¶

Default:{}

This setting is just likeSECURE_CSP, but instead of enforcing thepolicy, it instructs theContentSecurityPolicyMiddleware to apply aContent-Security-Policy-Report-Only header to responses, which allowsbrowsers to monitor and report policy violations without blocking content. Thisis useful for testing and refining a policy before enforcement.

Most browsers log CSP violations to the developer console and can optionallysend them to a reporting endpoint. To collect these reports, thereport-uridirective must be defined (seePolicy violation reports for more details).

As noted in theMDN documentation on Content-Security-Policy-Report-Only,thereport-uri directive must be specified for reports to be sent;otherwise, the header has no reporting effect (other than logging to thebrowser’s developer tools console).

Following the example from theSECURE_CSP setting:

fromdjango.utils.cspimportCSPSECURE_CSP_REPORT_ONLY={"default-src":[CSP.SELF],"img-src":["data:",CSP.SELF,"https://images.example.com"],"frame-src":[CSP.NONE],"report-uri":"/my-site/csp/reports/",}

SECURE_HSTS_INCLUDE_SUBDOMAINS¶

Default:False

IfTrue, theSecurityMiddleware addstheincludeSubDomains directive to theHTTP Strict Transport Security header. It has no effect unlessSECURE_HSTS_SECONDS is set to a non-zero value.

SECURE_HSTS_PRELOAD¶

Default:False

IfTrue, theSecurityMiddleware addsthepreload directive to theHTTP Strict Transport Securityheader. It has no effect unlessSECURE_HSTS_SECONDS is set to anon-zero value.

SECURE_HSTS_SECONDS¶

Default:0

If set to a non-zero integer value, theSecurityMiddleware sets theHTTP Strict Transport Security header on all responses that do notalready have it.

SECURE_PROXY_SSL_HEADER¶

Default:None

A tuple representing an HTTP header/value combination that signifies a requestis secure. This controls the behavior of the request object’sis_secure()method.

By default,is_secure() determines if a request is secure by confirmingthat a requested URL useshttps://. This method is important for Django’sCSRF protection, and it may be used by your own code or third-party apps.

If your Django app is behind a proxy, though, the proxy may be “swallowing”whether the original request uses HTTPS or not. If there is a non-HTTPSconnection between the proxy and Django thenis_secure() would alwaysreturnFalse – even for requests that were made via HTTPS by the end user.In contrast, if there is an HTTPS connection between the proxy and Django thenis_secure() would always returnTrue – even for requests that weremade originally via HTTP.

In this situation, configure your proxy to set a custom HTTP header that tellsDjango whether the request came in via HTTPS, and setSECURE_PROXY_SSL_HEADER so that Django knows what header to look for.

Set a tuple with two elements – the name of the header to look for and therequired value. For example:

SECURE_PROXY_SSL_HEADER=("HTTP_X_FORWARDED_PROTO","https")

This tells Django to trust theX-Forwarded-Proto header that comes from ourproxy and that the request is guaranteed to be secure (i.e., it originally camein via HTTPS) when:

• the header value is'https', or

• its initial, leftmost value is'https' in the case of a comma-separatedlist of protocols (e.g.'https,http,http').

You shouldonly set this setting if you control your proxy or have some otherguarantee that it sets/strips this header appropriately.

Note that the header needs to be in the format as used byrequest.META –all caps and likely starting withHTTP_. (Remember, Django automaticallyadds'HTTP_' to the start of x-header names before making the headeravailable inrequest.META.)

SECURE_REDIRECT_EXEMPT¶

Default:[] (Empty list)

If a URL path matches a regular expression in this list, the request will notbe redirected to HTTPS. TheSecurityMiddleware strips leading slashesfrom URL paths, so patterns shouldn’t include them, e.g.SECURE_REDIRECT_EXEMPT=[r'^no-ssl/$',…]. IfSECURE_SSL_REDIRECT isFalse, this setting has no effect.

SECURE_REFERRER_POLICY¶

Default:'same-origin'

If configured, theSecurityMiddleware setstheReferrer Policy header on all responses that do not already have itto the value provided.

SECURE_SSL_HOST¶

Default:None

If a string (e.g.secure.example.com), all SSL redirects will be directedto this host rather than the originally-requested host (e.g.www.example.com). IfSECURE_SSL_REDIRECT isFalse, thissetting has no effect.

SECURE_SSL_REDIRECT¶

Default:False

IfTrue, theSecurityMiddlewareredirects all non-HTTPS requests to HTTPS (except forthose URLs matching a regular expression listed inSECURE_REDIRECT_EXEMPT).

SERIALIZATION_MODULES¶

Default: Not defined

A dictionary of modules containing serializer definitions (provided asstrings), keyed by a string identifier for that serialization type. Forexample, to define a YAML serializer, use:

SERIALIZATION_MODULES={"yaml":"path.to.yaml_serializer"}

SERVER_EMAIL¶

Default:'root@localhost'

The email address that error messages come from, such as those sent toADMINS andMANAGERS. This address is used in theFrom: header and can take any format valid in the chosen email sendingprotocol.

SHORT_DATE_FORMAT¶

Default:'m/d/Y' (e.g.12/31/2003)

An available formatting that can be used for displaying date fields ontemplates. Note that the corresponding locale-dictated format has higherprecedence and will be applied instead. Seealloweddateformatstrings.

See alsoDATE_FORMAT andSHORT_DATETIME_FORMAT.

SHORT_DATETIME_FORMAT¶

Default:'m/d/YP' (e.g.12/31/20034p.m.)

An available formatting that can be used for displaying datetime fields ontemplates. Note that the corresponding locale-dictated format has higherprecedence and will be applied instead. Seealloweddateformatstrings.

See alsoDATE_FORMAT andSHORT_DATE_FORMAT.

SIGNING_BACKEND¶

Default:'django.core.signing.TimestampSigner'

The backend used for signing cookies and other data.

See also theCryptographic signing documentation.

SILENCED_SYSTEM_CHECKS¶

Default:[] (Empty list)

A list of identifiers of messages generated by the system check framework(i.e.["models.W001"]) that you wish to permanently acknowledge and ignore.Silenced checks will not be output to the console.

See also theSystem check framework documentation.

STORAGES¶

Default:

{"default":{"BACKEND":"django.core.files.storage.FileSystemStorage",},"staticfiles":{"BACKEND":"django.contrib.staticfiles.storage.StaticFilesStorage",},}

A dictionary containing the settings for all storages to be used with Django.It is a nested dictionary whose contents map a storage alias to a dictionarycontaining the options for an individual storage.

Storages can have any alias you choose. However, there are two aliases withspecial significance:

• default formanaging files.'django.core.files.storage.FileSystemStorage' is thedefault storage engine.

• staticfiles formanaging static files.'django.contrib.staticfiles.storage.StaticFilesStorage' isthe default storage engine.

The following is an examplesettings.py snippet defining a custom filestorage calledexample:

STORAGES={# ..."example":{"BACKEND":"django.core.files.storage.FileSystemStorage","OPTIONS":{"location":"/example","base_url":"/example/",},},}

OPTIONS are passed to theBACKEND on initialization in**kwargs.

A ready-to-use instance of the storage backends can be retrieved fromdjango.core.files.storage.storages. Use a key corresponding to thebackend definition inSTORAGES.

TASKS¶

Default:

{"default":{"BACKEND":"django.tasks.backends.immediate.ImmediateBackend",}}

A dictionary containing the settings for all Task backends to be used withDjango. It is a nested dictionary whose contents maps backend aliases to adictionary containing the options for each backend.

TheTASKS setting must configure adefault backend; any numberof additional backends may also be specified. Depending on which backend isused, other options may be required. The following options are available asstandard.

TEMPLATES¶

Default:[] (Empty list)

A list containing the settings for all template engines to be used withDjango. Each item of the list is a dictionary containing the options for anindividual engine.

Here’s a setup that tells the Django template engine to load templates from thetemplates subdirectory inside each installed application:

TEMPLATES=[{"BACKEND":"django.template.backends.django.DjangoTemplates","APP_DIRS":True,},]

The following options are available for all backends.

TEST_RUNNER¶

Default:'django.test.runner.DiscoverRunner'

The name of the class to use for starting the test suite. SeeUsing different testing frameworks.

TEST_NON_SERIALIZED_APPS¶

Default:[] (Empty list)

In order to restore the database state between tests forTransactionTestCases and database backends without transactions, Djangowillserialize the contents of all appswhen it starts the test run so it can then reload from that copy before runningtests that need it.

This slows down the startup time of the test runner; if you have apps thatyou know don’t need this feature, you can add their full names in here (e.g.'django.contrib.contenttypes') to exclude them from this serializationprocess.

THOUSAND_SEPARATOR¶

Default:',' (Comma)

Default thousand separator used when formatting numbers. This setting isused only whenUSE_THOUSAND_SEPARATOR isTrue andNUMBER_GROUPING is greater than0.

Note that the locale-dictated format has higher precedence and will be appliedinstead.

See alsoNUMBER_GROUPING,DECIMAL_SEPARATOR andUSE_THOUSAND_SEPARATOR.

TIME_FORMAT¶

Default:'P' (e.g.4p.m.)

The default formatting to use for displaying time fields in any part of thesystem. Note that the locale-dictated format has higher precedence and will beapplied instead. Seealloweddateformatstrings.

See alsoDATE_FORMAT andDATETIME_FORMAT.

TIME_INPUT_FORMATS¶

Default:

["%H:%M:%S",# '14:30:59'"%H:%M:%S.%f",# '14:30:59.000200'"%H:%M",# '14:30']

A list of formats that will be accepted when inputting data on a time field.Formats will be tried in order, using the first valid one. Note that theseformat strings use Python’sdatetime module syntax, not the format strings from thedatetemplate filter.

The locale-dictated format has higher precedence and will be applied instead.

See alsoDATE_INPUT_FORMATS andDATETIME_INPUT_FORMATS.

TIME_ZONE¶

Default:'America/Chicago'

A string representing the time zone for this installation. See thelist oftime zones.

Note that this isn’t necessarily the time zone of the server. For example, oneserver may serve multiple Django-powered sites, each with a separate time zonesetting.

WhenUSE_TZ isFalse, this is the time zone in which Djangowill store all datetimes. WhenUSE_TZ isTrue, this is thedefault time zone that Django will use to display datetimes in templates andto interpret datetimes entered in forms.

On Unix environments (wheretime.tzset() is implemented), Django sets theos.environ['TZ'] variable to the time zone you specify in theTIME_ZONE setting. Thus, all your views and models willautomatically operate in this time zone. However, Django won’t set theTZenvironment variable if you’re using the manual configuration option asdescribed inmanually configuring settings. If Django doesn’t set theTZenvironment variable, it’s up to you to ensure your processes are running inthe correct environment.

USE_I18N¶

Default:True

A boolean that specifies whether Django’s translation system should be enabled.This provides a way to turn it off, for performance. If this is set toFalse, Django will make some optimizations so as not to load thetranslation machinery.

See alsoLANGUAGE_CODE andUSE_TZ.

USE_THOUSAND_SEPARATOR¶

Default:False

A boolean that specifies whether to display numbers using a thousand separator.When set toTrue, Django will format numbers using theNUMBER_GROUPING andTHOUSAND_SEPARATOR settings. Thelatter two settings may also be dictated by the locale, which takes precedence.

See alsoDECIMAL_SEPARATOR,NUMBER_GROUPING andTHOUSAND_SEPARATOR.

USE_TZ¶

Default:True

A boolean that specifies if datetimes will be timezone-aware by default or not.If this is set toTrue, Django will use timezone-aware datetimesinternally.

WhenUSE_TZ is False, Django will use naive datetimes in local time, exceptwhen parsing ISO 8601 formatted strings, where timezone information will alwaysbe retained if present.

See alsoTIME_ZONE andUSE_I18N.

USE_X_FORWARDED_HOST¶

Default:False

A boolean that specifies whether to use theX-Forwarded-Host header inpreference to theHost header. This should only be enabled if a proxywhich sets this header is in use.

This setting takes priority overUSE_X_FORWARDED_PORT. PerRFC 7239 Section 5.3, theX-Forwarded-Host header can include the portnumber, in which case you shouldn’t useUSE_X_FORWARDED_PORT.

USE_X_FORWARDED_PORT¶

Default:False

A boolean that specifies whether to use theX-Forwarded-Port header inpreference to theSERVER_PORTMETA variable. This should only beenabled if a proxy which sets this header is in use.

USE_X_FORWARDED_HOST takes priority over this setting.

URLIZE_ASSUME_HTTPS¶

Default:False

Set this transitional setting toTrue to opt into using HTTPS as thedefault protocol when none is provided in URLs processed by theurlize andurlizetrunc template filters during the Django6.x release cycle.

WSGI_APPLICATION¶

Default:None

The full Python path of the WSGI application object that Django’s built-inservers (e.g.runserver) will use. Thedjango-adminstartproject management command will create a standardwsgi.py file with anapplication callable in it, and point this settingto thatapplication.

If not set, the return value ofdjango.core.wsgi.get_wsgi_application()will be used. In this case, the behavior ofrunserver will beidentical to previous Django versions.

YEAR_MONTH_FORMAT¶

Default:'FY'

The default formatting to use for date fields on Django admin change-listpages – and, possibly, by other parts of the system – in cases when only theyear and month are displayed.

For example, when a Django admin change-list page is being filtered by a datedrilldown, the header for a given month displays the month and the year.Different locales have different formats. For example, U.S. English would say“January 2006,” whereas another locale might say “2006/January.”

Note that the corresponding locale-dictated format has higher precedence andwill be applied instead.

Seealloweddateformatstrings. See alsoDATE_FORMAT,DATETIME_FORMAT,TIME_FORMATandMONTH_DAY_FORMAT.

X_FRAME_OPTIONS¶

Default:'DENY'

The default value for the X-Frame-Options header used byXFrameOptionsMiddleware. See theclickjacking protection documentation.

AUTHENTICATION_BACKENDS¶

Default:['django.contrib.auth.backends.ModelBackend']

A list of authentication backend classes (as strings) to use when attempting toauthenticate a user. See theauthentication backends documentation for details.

AUTH_USER_MODEL¶

Default:'auth.User'

The model to use to represent a User. SeeSubstituting a custom User model.

LOGIN_REDIRECT_URL¶

Default:'/accounts/profile/'

The URL ornamed URL pattern where requests areredirected after login when theLoginViewdoesn’t get anext GET parameter.

LOGIN_URL¶

Default:'/accounts/login/'

The URL ornamed URL pattern where requests areredirected for login when using thelogin_required() decorator,LoginRequiredMixin,AccessMixin, or whenLoginRequiredMiddleware is installed.

LOGOUT_REDIRECT_URL¶

Default:None

The URL ornamed URL pattern where requests areredirected after logout ifLogoutViewdoesn’t have anext_page attribute.

IfNone, no redirect will be performed and the logout view will berendered.

PASSWORD_RESET_TIMEOUT¶

Default:259200 (3 days, in seconds)

The number of seconds a password reset link is valid for.

Used by thePasswordResetConfirmView.

PASSWORD_HASHERS¶

SeeHow Django stores passwords.

Default:

["django.contrib.auth.hashers.PBKDF2PasswordHasher","django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher","django.contrib.auth.hashers.Argon2PasswordHasher","django.contrib.auth.hashers.BCryptSHA256PasswordHasher","django.contrib.auth.hashers.ScryptPasswordHasher",]

AUTH_PASSWORD_VALIDATORS¶

Default:[] (Empty list)

The list of validators that are used to check the strength of user’s passwords.SeePassword validation for more details. By default, no validation isperformed and all passwords are accepted.

MESSAGE_LEVEL¶

Default:messages.INFO

Sets the minimum message level that will be recorded by the messagesframework. Seemessage levels for more details.

fromdjango.contrib.messagesimportconstantsasmessage_constantsMESSAGE_LEVEL=message_constants.DEBUG

MESSAGE_STORAGE¶

Default:'django.contrib.messages.storage.fallback.FallbackStorage'

Controls where Django stores message data. Valid values are:

• 'django.contrib.messages.storage.fallback.FallbackStorage'

• 'django.contrib.messages.storage.session.SessionStorage'

• 'django.contrib.messages.storage.cookie.CookieStorage'

Seemessage storage backends for moredetails.

The backends that use cookies –CookieStorage andFallbackStorage –use the value ofSESSION_COOKIE_DOMAIN,SESSION_COOKIE_SECURE andSESSION_COOKIE_HTTPONLY whensetting their cookies.

MESSAGE_TAGS¶

Default:

{messages.DEBUG:"debug",messages.INFO:"info",messages.SUCCESS:"success",messages.WARNING:"warning",messages.ERROR:"error",}

This sets the mapping of message level to message tag, which is typicallyrendered as a CSS class in HTML. If you specify a value, it will extendthe default. This means you only have to specify those values which you needto override. SeeDisplaying messages above for more details.

fromdjango.contrib.messagesimportconstantsasmessage_constantsMESSAGE_TAGS={message_constants.INFO:""}

SESSION_CACHE_ALIAS¶

Default:'default'

If you’re usingcache-based session storage,this selects the cache to use.

SESSION_COOKIE_AGE¶

Default:1209600 (2 weeks, in seconds)

The age of session cookies, in seconds.

SESSION_COOKIE_DOMAIN¶

Default:None

The domain to use for session cookies. Set this to a string such as"example.com" for cross-domain cookies, or useNone for a standarddomain cookie.

To use cross-domain cookies withCSRF_USE_SESSIONS, you must includea leading dot (e.g.".example.com") to accommodate the CSRF middleware’sreferer checking.

Be cautious when updating this setting on a production site. If you updatethis setting to enable cross-domain cookies on a site that previously usedstandard domain cookies, existing user cookies will be set to the olddomain. This may result in them being unable to log in as long as these cookiespersist.

This setting also affects cookies set bydjango.contrib.messages.

SESSION_COOKIE_HTTPONLY¶

Default:True

Whether to useHttpOnly flag on the session cookie. If this is set toTrue, client-side JavaScript will not be able to access the sessioncookie.

HttpOnly is a flag included in a Set-Cookie HTTP response header. It’s part oftheRFC 6265 Section 4.1.2.6 standard for cookies and can be a useful way tomitigate the risk of a client-side script accessing the protected cookie data.

This makes it less trivial for an attacker to escalate a cross-site scriptingvulnerability into full hijacking of a user’s session. There aren’t many goodreasons for turning this off. Your code shouldn’t read session cookies fromJavaScript.

SESSION_COOKIE_NAME¶

Default:'sessionid'

The name of the cookie to use for sessions. This can be whatever you want(as long as it’s different from the other cookie names in your application).

SESSION_COOKIE_PATH¶

Default:'/'

The path set on the session cookie. This should either match the URL path ofyour Django installation or be parent of that path.

This is useful if you have multiple Django instances running under the samehostname. They can use different cookie paths, and each instance will only seeits own session cookie.

SESSION_COOKIE_SAMESITE¶

Default:'Lax'

The value of theSameSite flag on the session cookie. This flag prevents thecookie from being sent in cross-site requests thus preventing CSRF attacks andmaking some methods of stealing session cookie impossible.

Possible values for the setting are:

• 'Strict': prevents the cookie from being sent by the browser to thetarget site in all cross-site browsing context, even when following a regularlink.

  For example, for a GitHub-like website this would mean that if a logged-inuser follows a link to a private GitHub project posted on a corporatediscussion forum or email, GitHub will not receive the session cookie and theuser won’t be able to access the project. A bank website, however, mostlikely doesn’t want to allow any transactional pages to be linked fromexternal sites so the'Strict' flag would be appropriate.

• 'Lax' (default): provides a balance between security and usability forwebsites that want to maintain user’s logged-in session after the userarrives from an external link.

  In the GitHub scenario, the session cookie would be allowed when following aregular link from an external website and be blocked in CSRF-prone requestmethods (e.g.POST).

• 'None' (string): the session cookie will be sent with all same-site andcross-site requests.

• False: disables the flag.

SESSION_COOKIE_SECURE¶

Default:False

Whether to use a secure cookie for the session cookie. If this is set toTrue, the cookie will be marked as “secure”, which means browsers mayensure that the cookie is only sent under an HTTPS connection.

Leaving this setting off isn’t a good idea because an attacker could capture anunencrypted session cookie with a packet sniffer and use the cookie to hijackthe user’s session.

SESSION_ENGINE¶

Default:'django.contrib.sessions.backends.db'

Controls where Django stores session data. Included engines are:

• 'django.contrib.sessions.backends.db'

• 'django.contrib.sessions.backends.file'

• 'django.contrib.sessions.backends.cache'

• 'django.contrib.sessions.backends.cached_db'

• 'django.contrib.sessions.backends.signed_cookies'

SeeConfiguring the session engine for more details.

SESSION_EXPIRE_AT_BROWSER_CLOSE¶

Default:False

Whether to expire the session when the user closes their browser. SeeBrowser-length sessions vs. persistent sessions.

SESSION_FILE_PATH¶

Default:None

If you’re using file-based session storage, this sets the directory inwhich Django will store session data. When the default value (None) isused, Django will use the standard temporary directory for the system.

SESSION_SAVE_EVERY_REQUEST¶

Default:False

Whether to save the session data on every request. If this isFalse(default), then the session data will only be saved if it has been modified –that is, if any of its dictionary values have been assigned or deleted. Emptysessions won’t be created, even if this setting is active.

SESSION_SERIALIZER¶

Default:'django.contrib.sessions.serializers.JSONSerializer'

Full import path of a serializer class to use for serializing session data.Included serializer is:

• 'django.contrib.sessions.serializers.JSONSerializer'

SeeSession serialization for details.

SITE_ID¶

Default: Not defined

The ID, as an integer, of the current site in thedjango_site databasetable. This is used so that application data can hook into specific sitesand a single database can manage content for multiple sites.

STATIC_ROOT¶

Default:None

The absolute path to the directory wherecollectstatic will collectstatic files for deployment.

Example:"/var/www/example.com/static/"

If thestaticfiles contrib app is enabled(as in the default project template), thecollectstatic managementcommand will collect static files into this directory. See the how-to onmanaging static files for more details aboutusage.

STATIC_URL¶

Default:None

URL to use when referring to static files located inSTATIC_ROOT.

Example:"static/" or"https://static.example.com/"

If notNone, this will be used as the base path forasset definitions (theMedia class) and thestaticfiles app.

It must end in a slash if set to a non-empty value.

You may need toconfigure these files to be served in development and will definitely need to do soin production.

STATICFILES_DIRS¶

Default:[] (Empty list)

This setting defines the additional locations the staticfiles app will traverseif theFileSystemFinder finder is enabled, e.g. if you use thecollectstatic orfindstatic management command or use thestatic file serving view.

This should be set to a list of strings that contain full paths toyour additional files directory(ies) e.g.:

STATICFILES_DIRS=["/home/special.polls.com/polls/static","/home/polls.com/polls/static","/opt/webfiles/common",]

Note that these paths should use Unix-style forward slashes, even on Windows(e.g."C:/Users/user/mysite/extra_static_content").

STATICFILES_DIRS=[# ...("downloads","/opt/webfiles/stats"),]

<ahref="{%static'downloads/polls_20101022.tar.gz'%}">

STATICFILES_FINDERS¶

Default:

["django.contrib.staticfiles.finders.FileSystemFinder","django.contrib.staticfiles.finders.AppDirectoriesFinder",]

The list of finder backends that know how to find static files invarious locations.

The default will find files stored in theSTATICFILES_DIRS setting(usingdjango.contrib.staticfiles.finders.FileSystemFinder) and in astatic subdirectory of each app (usingdjango.contrib.staticfiles.finders.AppDirectoriesFinder). If multiplefiles with the same name are present, the first file that is found will beused.

One finder is disabled by default:django.contrib.staticfiles.finders.DefaultStorageFinder. If added toyourSTATICFILES_FINDERS setting, it will look for static files inthe default file storage as defined by thedefault key in theSTORAGES setting.

Static file finders are currently considered a private interface, and thisinterface is thus undocumented.

Cache¶

• CACHES

• CACHE_MIDDLEWARE_ALIAS

• CACHE_MIDDLEWARE_KEY_PREFIX

• CACHE_MIDDLEWARE_SECONDS

Database¶

• DATABASES

• DATABASE_ROUTERS

• DEFAULT_INDEX_TABLESPACE

• DEFAULT_TABLESPACE

Debugging¶

• DEBUG

• DEBUG_PROPAGATE_EXCEPTIONS

Email¶

• ADMINS

• DEFAULT_CHARSET

• DEFAULT_FROM_EMAIL

• EMAIL_BACKEND

• EMAIL_FILE_PATH

• EMAIL_HOST

• EMAIL_HOST_PASSWORD

• EMAIL_HOST_USER

• EMAIL_PORT

• EMAIL_SSL_CERTFILE

• EMAIL_SSL_KEYFILE

• EMAIL_SUBJECT_PREFIX

• EMAIL_TIMEOUT

• EMAIL_USE_LOCALTIME

• EMAIL_USE_SSL

• EMAIL_USE_TLS

• MANAGERS

• SERVER_EMAIL

Error reporting¶

• DEFAULT_EXCEPTION_REPORTER

• DEFAULT_EXCEPTION_REPORTER_FILTER

• IGNORABLE_404_URLS

• MANAGERS

• SILENCED_SYSTEM_CHECKS

File uploads¶

• FILE_UPLOAD_HANDLERS

• FILE_UPLOAD_MAX_MEMORY_SIZE

• FILE_UPLOAD_PERMISSIONS

• FILE_UPLOAD_TEMP_DIR

• MEDIA_ROOT

• MEDIA_URL

• STORAGES

Forms¶

• FORM_RENDERER

Globalization (i18n/l10n)¶

HTTP¶

• DATA_UPLOAD_MAX_MEMORY_SIZE

• DATA_UPLOAD_MAX_NUMBER_FIELDS

• DATA_UPLOAD_MAX_NUMBER_FILES

• DEFAULT_CHARSET

• DISALLOWED_USER_AGENTS

• FORCE_SCRIPT_NAME

• INTERNAL_IPS

• MIDDLEWARE

• Security

  • SECURE_CONTENT_TYPE_NOSNIFF

  • SECURE_CROSS_ORIGIN_OPENER_POLICY

  • SECURE_CSP

  • SECURE_CSP_REPORT_ONLY

  • SECURE_HSTS_INCLUDE_SUBDOMAINS

  • SECURE_HSTS_PRELOAD

  • SECURE_HSTS_SECONDS

  • SECURE_PROXY_SSL_HEADER

  • SECURE_REDIRECT_EXEMPT

  • SECURE_REFERRER_POLICY

  • SECURE_SSL_HOST

  • SECURE_SSL_REDIRECT

• SIGNING_BACKEND

• USE_X_FORWARDED_HOST

• USE_X_FORWARDED_PORT

• WSGI_APPLICATION

Logging¶

• LOGGING

• LOGGING_CONFIG

Models¶

• ABSOLUTE_URL_OVERRIDES

• FIXTURE_DIRS

• INSTALLED_APPS

Security¶

• Cross Site Request Forgery Protection

  • CSRF_COOKIE_DOMAIN

  • CSRF_COOKIE_NAME

  • CSRF_COOKIE_PATH

  • CSRF_COOKIE_SAMESITE

  • CSRF_COOKIE_SECURE

  • CSRF_FAILURE_VIEW

  • CSRF_HEADER_NAME

  • CSRF_TRUSTED_ORIGINS

  • CSRF_USE_SESSIONS

• SECRET_KEY

• SECRET_KEY_FALLBACKS

• URLIZE_ASSUME_HTTPS

• X_FRAME_OPTIONS

Serialization¶

• DEFAULT_CHARSET

• SERIALIZATION_MODULES

Templates¶

• TEMPLATES

Testing¶

• Database:TEST

• TEST_NON_SERIALIZED_APPS

• TEST_RUNNER

URLs¶

• APPEND_SLASH

• PREPEND_WWW

• ROOT_URLCONF