mirror of
https://github.com/django/django.git
synced 2024-12-26 19:16:11 +00:00
d907371ef9
It's a transitional setting helpful in migrating multiple instance of the same project to Django 3.1+. Thanks Markus Holtermann for the report and review, Florian Apolloner for the implementation idea and review, and Carlton Gibson for the review.
844 lines
41 KiB
Plaintext
844 lines
41 KiB
Plaintext
======================
|
||
System check framework
|
||
======================
|
||
|
||
.. currentmodule:: django.core.checks
|
||
|
||
The system check framework is a set of static checks for validating Django
|
||
projects. It detects common problems and provides hints for how to fix them.
|
||
The framework is extensible so you can easily add your own checks.
|
||
|
||
For details on how to add your own checks and integrate them with Django's
|
||
system checks, see the :doc:`System check topic guide </topics/checks>`.
|
||
|
||
API reference
|
||
=============
|
||
|
||
``CheckMessage``
|
||
----------------
|
||
|
||
.. class:: CheckMessage(level, msg, hint=None, obj=None, id=None)
|
||
|
||
The warnings and errors raised by system checks must be instances of
|
||
``CheckMessage``. An instance encapsulates a single reportable error or
|
||
warning. It also provides context and hints applicable to the message, and a
|
||
unique identifier that is used for filtering purposes.
|
||
|
||
Constructor arguments are:
|
||
|
||
``level``
|
||
The severity of the message. Use one of the predefined values: ``DEBUG``,
|
||
``INFO``, ``WARNING``, ``ERROR``, ``CRITICAL``. If the level is greater or
|
||
equal to ``ERROR``, then Django will prevent management commands from
|
||
executing. Messages with level lower than ``ERROR`` (i.e. warnings) are
|
||
reported to the console, but can be silenced.
|
||
|
||
``msg``
|
||
A short (less than 80 characters) string describing the problem. The string
|
||
should *not* contain newlines.
|
||
|
||
``hint``
|
||
A single-line string providing a hint for fixing the problem. If no hint
|
||
can be provided, or the hint is self-evident from the error message, the
|
||
hint can be omitted, or a value of ``None`` can be used.
|
||
|
||
``obj``
|
||
Optional. An object providing context for the message (for example, the
|
||
model where the problem was discovered). The object should be a model,
|
||
field, or manager or any other object that defines a ``__str__()`` method.
|
||
The method is used while reporting all messages and its result precedes the
|
||
message.
|
||
|
||
``id``
|
||
Optional string. A unique identifier for the issue. Identifiers should
|
||
follow the pattern ``applabel.X001``, where ``X`` is one of the letters
|
||
``CEWID``, indicating the message severity (``C`` for criticals, ``E`` for
|
||
errors and so). The number can be allocated by the application, but should
|
||
be unique within that application.
|
||
|
||
There are subclasses to make creating messages with common levels easier. When
|
||
using them you can omit the ``level`` argument because it is implied by the
|
||
class name.
|
||
|
||
.. class:: Debug(msg, hint=None, obj=None, id=None)
|
||
.. class:: Info(msg, hint=None, obj=None, id=None)
|
||
.. class:: Warning(msg, hint=None obj=None, id=None)
|
||
.. class:: Error(msg, hint=None, obj=None, id=None)
|
||
.. class:: Critical(msg, hint=None, obj=None, id=None)
|
||
|
||
.. _system-check-builtin-tags:
|
||
|
||
Builtin tags
|
||
============
|
||
|
||
Django's system checks are organized using the following tags:
|
||
|
||
* ``admin``: Checks of any admin site declarations.
|
||
* ``async_support``: Checks asynchronous-related configuration.
|
||
* ``caches``: Checks cache related configuration.
|
||
* ``compatibility``: Flags potential problems with version upgrades.
|
||
* ``database``: Checks database-related configuration issues. Database checks
|
||
are not run by default because they do more than static code analysis as
|
||
regular checks do. They are only run by the :djadmin:`migrate` command or if
|
||
you specify configured database aliases using the ``--database`` option when
|
||
calling the :djadmin:`check` command.
|
||
* ``models``: Checks of model, field, and manager definitions.
|
||
* ``security``: Checks security related configuration.
|
||
* ``signals``: Checks on signal declarations and handler registrations.
|
||
* ``sites``: Checks :mod:`django.contrib.sites` configuration.
|
||
* ``staticfiles``: Checks :mod:`django.contrib.staticfiles` configuration.
|
||
* ``templates``: Checks template related configuration.
|
||
* ``translation``: Checks translation related configuration.
|
||
* ``urls``: Checks URL configuration.
|
||
|
||
Some checks may be registered with multiple tags.
|
||
|
||
.. versionchanged:: 3.1
|
||
|
||
The ``async_support`` tag was added.
|
||
|
||
.. versionchanged:: 3.1
|
||
|
||
The ``database`` checks are now run only for database aliases specified
|
||
using the :option:`check --database` option.
|
||
|
||
.. versionchanged:: 3.2
|
||
|
||
The ``sites`` tag was added.
|
||
|
||
Core system checks
|
||
==================
|
||
|
||
Asynchronous support
|
||
--------------------
|
||
|
||
.. versionadded:: 3.1
|
||
|
||
The following checks verify your setup for :doc:`/topics/async`:
|
||
|
||
* **async.E001**: You should not set the :envvar:`DJANGO_ALLOW_ASYNC_UNSAFE`
|
||
environment variable in deployment. This disables :ref:`async safety
|
||
protection <async-safety>`.
|
||
|
||
Backwards compatibility
|
||
-----------------------
|
||
|
||
Compatibility checks warn of potential problems that might occur after
|
||
upgrading Django.
|
||
|
||
* **2_0.W001**: Your URL pattern ``<pattern>`` has a ``route`` that contains
|
||
``(?P<``, begins with a ``^``, or ends with a ``$``. This was likely an
|
||
oversight when migrating from ``url()`` to :func:`~django.urls.path`.
|
||
|
||
Caches
|
||
------
|
||
|
||
The following checks verify that your :setting:`CACHES` setting is correctly
|
||
configured:
|
||
|
||
* **caches.E001**: You must define a ``'default'`` cache in your
|
||
:setting:`CACHES` setting.
|
||
|
||
Database
|
||
--------
|
||
|
||
MySQL and MariaDB
|
||
~~~~~~~~~~~~~~~~~
|
||
|
||
If you're using MySQL or MariaDB, the following checks will be performed:
|
||
|
||
* **mysql.E001**: MySQL/MariaDB does not allow unique ``CharField``\s to have a
|
||
``max_length`` > 255. *This check was changed to* ``mysql.W003`` *in Django
|
||
3.1 as the real maximum size depends on many factors.*
|
||
* **mysql.W002**: MySQL/MariaDB Strict Mode is not set for database connection
|
||
``<alias>``. See also :ref:`mysql-sql-mode`.
|
||
* **mysql.W003**: MySQL/MariaDB may not allow unique ``CharField``\s to have a
|
||
``max_length`` > 255.
|
||
|
||
Model fields
|
||
------------
|
||
|
||
* **fields.E001**: Field names must not end with an underscore.
|
||
* **fields.E002**: Field names must not contain ``"__"``.
|
||
* **fields.E003**: ``pk`` is a reserved word that cannot be used as a field
|
||
name.
|
||
* **fields.E004**: ``choices`` must be an iterable (e.g., a list or tuple).
|
||
* **fields.E005**: ``choices`` must be an iterable returning ``(actual value,
|
||
human readable name)`` tuples.
|
||
* **fields.E006**: ``db_index`` must be ``None``, ``True`` or ``False``.
|
||
* **fields.E007**: Primary keys must not have ``null=True``.
|
||
* **fields.E008**: All ``validators`` must be callable.
|
||
* **fields.E009**: ``max_length`` is too small to fit the longest value in
|
||
``choices`` (``<count>`` characters).
|
||
* **fields.E010**: ``<field>`` default should be a callable instead of an
|
||
instance so that it's not shared between all field instances.
|
||
* **fields.E100**: ``AutoField``\s must set primary_key=True.
|
||
* **fields.E110**: ``BooleanField``\s do not accept null values. *This check
|
||
appeared before support for null values was added in Django 2.1.*
|
||
* **fields.E120**: ``CharField``\s must define a ``max_length`` attribute.
|
||
* **fields.E121**: ``max_length`` must be a positive integer.
|
||
* **fields.W122**: ``max_length`` is ignored when used with
|
||
``<integer field type>``.
|
||
* **fields.E130**: ``DecimalField``\s must define a ``decimal_places`` attribute.
|
||
* **fields.E131**: ``decimal_places`` must be a non-negative integer.
|
||
* **fields.E132**: ``DecimalField``\s must define a ``max_digits`` attribute.
|
||
* **fields.E133**: ``max_digits`` must be a non-negative integer.
|
||
* **fields.E134**: ``max_digits`` must be greater or equal to ``decimal_places``.
|
||
* **fields.E140**: ``FilePathField``\s must have either ``allow_files`` or
|
||
``allow_folders`` set to True.
|
||
* **fields.E150**: ``GenericIPAddressField``\s cannot accept blank values if
|
||
null values are not allowed, as blank values are stored as nulls.
|
||
* **fields.E160**: The options ``auto_now``, ``auto_now_add``, and ``default``
|
||
are mutually exclusive. Only one of these options may be present.
|
||
* **fields.W161**: Fixed default value provided.
|
||
* **fields.W162**: ``<database>`` does not support a database index on
|
||
``<field data type>`` columns.
|
||
* **fields.E170**: ``BinaryField``’s ``default`` cannot be a string. Use bytes
|
||
content instead.
|
||
* **fields.E180**: ``<database>`` does not support ``JSONField``\s.
|
||
* **fields.E900**: ``IPAddressField`` has been removed except for support in
|
||
historical migrations.
|
||
* **fields.W900**: ``IPAddressField`` has been deprecated. Support for it
|
||
(except in historical migrations) will be removed in Django 1.9. *This check
|
||
appeared in Django 1.7 and 1.8*.
|
||
* **fields.W901**: ``CommaSeparatedIntegerField`` has been deprecated. Support
|
||
for it (except in historical migrations) will be removed in Django 2.0. *This
|
||
check appeared in Django 1.10 and 1.11*.
|
||
* **fields.E901**: ``CommaSeparatedIntegerField`` is removed except for support
|
||
in historical migrations.
|
||
* **fields.W902**: ``FloatRangeField`` is deprecated and will be removed in
|
||
Django 3.1. *This check appeared in Django 2.2 and 3.0*.
|
||
* **fields.W903**: ``NullBooleanField`` is deprecated. Support for it (except
|
||
in historical migrations) will be removed in Django 4.0.
|
||
* **fields.W904**: ``django.contrib.postgres.fields.JSONField`` is deprecated.
|
||
Support for it (except in historical migrations) will be removed in Django
|
||
4.0.
|
||
|
||
File fields
|
||
~~~~~~~~~~~
|
||
|
||
* **fields.E200**: ``unique`` is not a valid argument for a ``FileField``.
|
||
*This check is removed in Django 1.11*.
|
||
* **fields.E201**: ``primary_key`` is not a valid argument for a ``FileField``.
|
||
* **fields.E202**: ``FileField``’s ``upload_to`` argument must be a relative
|
||
path, not an absolute path.
|
||
* **fields.E210**: Cannot use ``ImageField`` because Pillow is not installed.
|
||
|
||
Related fields
|
||
~~~~~~~~~~~~~~
|
||
|
||
* **fields.E300**: Field defines a relation with model ``<model>``, which is
|
||
either not installed, or is abstract.
|
||
* **fields.E301**: Field defines a relation with the model ``<model>`` which
|
||
has been swapped out.
|
||
* **fields.E302**: Accessor for field ``<field name>`` clashes with field
|
||
``<field name>``.
|
||
* **fields.E303**: Reverse query name for field ``<field name>`` clashes with
|
||
field ``<field name>``.
|
||
* **fields.E304**: Field name ``<field name>`` clashes with accessor for
|
||
``<field name>``.
|
||
* **fields.E305**: Field name ``<field name>`` clashes with reverse query name
|
||
for ``<field name>``.
|
||
* **fields.E306**: Related name must be a valid Python identifier or end with
|
||
a ``'+'``.
|
||
* **fields.E307**: The field ``<app label>.<model>.<field name>`` was declared
|
||
with a lazy reference to ``<app label>.<model>``, but app ``<app label>``
|
||
isn't installed or doesn't provide model ``<model>``.
|
||
* **fields.E308**: Reverse query name ``<related query name>`` must not end
|
||
with an underscore.
|
||
* **fields.E309**: Reverse query name ``<related query name>`` must not contain
|
||
``'__'``.
|
||
* **fields.E310**: No subset of the fields ``<field1>``, ``<field2>``, ... on
|
||
model ``<model>`` is unique.
|
||
* **fields.E311**: ``<model>.<field name>`` must be unique because it is
|
||
referenced by a ``ForeignKey``.
|
||
* **fields.E312**: The ``to_field`` ``<field name>`` doesn't exist on the
|
||
related model ``<app label>.<model>``.
|
||
* **fields.E320**: Field specifies ``on_delete=SET_NULL``, but cannot be null.
|
||
* **fields.E321**: The field specifies ``on_delete=SET_DEFAULT``, but has no
|
||
default value.
|
||
* **fields.E330**: ``ManyToManyField``\s cannot be unique.
|
||
* **fields.E331**: Field specifies a many-to-many relation through model
|
||
``<model>``, which has not been installed.
|
||
* **fields.E332**: Many-to-many fields with intermediate tables must not be
|
||
symmetrical. *This check appeared before Django 3.0.*
|
||
* **fields.E333**: The model is used as an intermediate model by ``<model>``,
|
||
but it has more than two foreign keys to ``<model>``, which is ambiguous.
|
||
You must specify which two foreign keys Django should use via the
|
||
``through_fields`` keyword argument.
|
||
* **fields.E334**: The model is used as an intermediate model by ``<model>``,
|
||
but it has more than one foreign key from ``<model>``, which is ambiguous.
|
||
You must specify which foreign key Django should use via the
|
||
``through_fields`` keyword argument.
|
||
* **fields.E335**: The model is used as an intermediate model by ``<model>``,
|
||
but it has more than one foreign key to ``<model>``, which is ambiguous.
|
||
You must specify which foreign key Django should use via the
|
||
``through_fields`` keyword argument.
|
||
* **fields.E336**: The model is used as an intermediary model by ``<model>``,
|
||
but it does not have foreign key to ``<model>`` or ``<model>``.
|
||
* **fields.E337**: Field specifies ``through_fields`` but does not provide the
|
||
names of the two link fields that should be used for the relation through
|
||
``<model>``.
|
||
* **fields.E338**: The intermediary model ``<through model>`` has no field
|
||
``<field name>``.
|
||
* **fields.E339**: ``<model>.<field name>`` is not a foreign key to ``<model>``.
|
||
* **fields.E340**: The field's intermediary table ``<table name>`` clashes with
|
||
the table name of ``<model>``/``<model>.<field name>``.
|
||
* **fields.W340**: ``null`` has no effect on ``ManyToManyField``.
|
||
* **fields.W341**: ``ManyToManyField`` does not support ``validators``.
|
||
* **fields.W342**: Setting ``unique=True`` on a ``ForeignKey`` has the same
|
||
effect as using a ``OneToOneField``.
|
||
* **fields.W343**: ``limit_choices_to`` has no effect on ``ManyToManyField``
|
||
with a ``through`` model.
|
||
* **fields.W344**: The field's intermediary table ``<table name>`` clashes with
|
||
the table name of ``<model>``/``<model>.<field name>``.
|
||
|
||
Models
|
||
------
|
||
|
||
* **models.E001**: ``<swappable>`` is not of the form ``app_label.app_name``.
|
||
* **models.E002**: ``<SETTING>`` references ``<model>``, which has not been
|
||
installed, or is abstract.
|
||
* **models.E003**: The model has two identical many-to-many relations through
|
||
the intermediate model ``<app_label>.<model>``.
|
||
* **models.E004**: ``id`` can only be used as a field name if the field also
|
||
sets ``primary_key=True``.
|
||
* **models.E005**: The field ``<field name>`` from parent model ``<model>``
|
||
clashes with the field ``<field name>`` from parent model ``<model>``.
|
||
* **models.E006**: The field clashes with the field ``<field name>`` from model
|
||
``<model>``.
|
||
* **models.E007**: Field ``<field name>`` has column name ``<column name>``
|
||
that is used by another field.
|
||
* **models.E008**: ``index_together`` must be a list or tuple.
|
||
* **models.E009**: All ``index_together`` elements must be lists or tuples.
|
||
* **models.E010**: ``unique_together`` must be a list or tuple.
|
||
* **models.E011**: All ``unique_together`` elements must be lists or tuples.
|
||
* **models.E012**: ``constraints/indexes/index_together/unique_together``
|
||
refers to the nonexistent field ``<field name>``.
|
||
* **models.E013**: ``constraints/indexes/index_together/unique_together``
|
||
refers to a ``ManyToManyField`` ``<field name>``, but ``ManyToManyField``\s
|
||
are not supported for that option.
|
||
* **models.E014**: ``ordering`` must be a tuple or list (even if you want to
|
||
order by only one field).
|
||
* **models.E015**: ``ordering`` refers to the nonexistent field, related field,
|
||
or lookup ``<field name>``.
|
||
* **models.E016**: ``constraints/indexes/index_together/unique_together``
|
||
refers to field ``<field_name>`` which is not local to model ``<model>``.
|
||
* **models.E017**: Proxy model ``<model>`` contains model fields.
|
||
* **models.E018**: Autogenerated column name too long for field ``<field>``.
|
||
Maximum length is ``<maximum length>`` for database ``<alias>``.
|
||
* **models.E019**: Autogenerated column name too long for M2M field
|
||
``<M2M field>``. Maximum length is ``<maximum length>`` for database
|
||
``<alias>``.
|
||
* **models.E020**: The ``<model>.check()`` class method is currently overridden.
|
||
* **models.E021**: ``ordering`` and ``order_with_respect_to`` cannot be used
|
||
together.
|
||
* **models.E022**: ``<function>`` contains a lazy reference to
|
||
``<app label>.<model>``, but app ``<app label>`` isn't installed or
|
||
doesn't provide model ``<model>``.
|
||
* **models.E023**: The model name ``<model>`` cannot start or end with an
|
||
underscore as it collides with the query lookup syntax.
|
||
* **models.E024**: The model name ``<model>`` cannot contain double underscores
|
||
as it collides with the query lookup syntax.
|
||
* **models.E025**: The property ``<property name>`` clashes with a related
|
||
field accessor.
|
||
* **models.E026**: The model cannot have more than one field with
|
||
``primary_key=True``.
|
||
* **models.W027**: ``<database>`` does not support check constraints.
|
||
* **models.E028**: ``db_table`` ``<db_table>`` is used by multiple models:
|
||
``<model list>``.
|
||
* **models.E029**: index name ``<index>`` is not unique for model ``<model>``.
|
||
* **models.E030**: index name ``<index>`` is not unique among models:
|
||
``<model list>``.
|
||
* **models.E031**: constraint name ``<constraint>`` is not unique for model
|
||
``<model>``.
|
||
* **models.E032**: constraint name ``<constraint>`` is not unique among
|
||
models: ``<model list>``.
|
||
* **models.E033**: The index name ``<index>`` cannot start with an underscore
|
||
or a number.
|
||
* **models.E034**: The index name ``<index>`` cannot be longer than
|
||
``<max_length>`` characters.
|
||
* **models.W035**: ``db_table`` ``<db_table>`` is used by multiple models:
|
||
``<model list>``.
|
||
* **models.W036**: ``<database>`` does not support unique constraints with
|
||
conditions.
|
||
* **models.W037**: ``<database>`` does not support indexes with conditions.
|
||
* **models.W038**: ``<database>`` does not support deferrable unique
|
||
constraints.
|
||
* **models.W039**: ``<database>`` does not support unique constraints with
|
||
non-key columns.
|
||
* **models.W040**: ``<database>`` does not support indexes with non-key
|
||
columns.
|
||
* **models.E041**: ``constraints`` refers to the joined field ``<field name>``.
|
||
|
||
Security
|
||
--------
|
||
|
||
The security checks do not make your site secure. They do not audit code, do
|
||
intrusion detection, or do anything particularly complex. Rather, they help
|
||
perform an automated, low-hanging-fruit checklist, that can help you to improve
|
||
your site's security.
|
||
|
||
Some of these checks may not be appropriate for your particular deployment
|
||
configuration. For instance, if you do your HTTP to HTTPS redirection in a load
|
||
balancer, it'd be irritating to be constantly warned about not having enabled
|
||
:setting:`SECURE_SSL_REDIRECT`. Use :setting:`SILENCED_SYSTEM_CHECKS` to
|
||
silence unneeded checks.
|
||
|
||
The following checks are run if you use the :option:`check --deploy` option:
|
||
|
||
* **security.W001**: You do not have
|
||
:class:`django.middleware.security.SecurityMiddleware` in your
|
||
:setting:`MIDDLEWARE` so the :setting:`SECURE_HSTS_SECONDS`,
|
||
:setting:`SECURE_CONTENT_TYPE_NOSNIFF`, :setting:`SECURE_BROWSER_XSS_FILTER`,
|
||
:setting:`SECURE_REFERRER_POLICY`, and :setting:`SECURE_SSL_REDIRECT`
|
||
settings will have no effect.
|
||
* **security.W002**: You do not have
|
||
:class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
|
||
:setting:`MIDDLEWARE`, so your pages will not be served with an
|
||
``'x-frame-options'`` header. Unless there is a good reason for your
|
||
site to be served in a frame, you should consider enabling this
|
||
header to help prevent clickjacking attacks.
|
||
* **security.W003**: You don't appear to be using Django's built-in cross-site
|
||
request forgery protection via the middleware
|
||
(:class:`django.middleware.csrf.CsrfViewMiddleware` is not in your
|
||
:setting:`MIDDLEWARE`). Enabling the middleware is the safest
|
||
approach to ensure you don't leave any holes.
|
||
* **security.W004**: You have not set a value for the
|
||
:setting:`SECURE_HSTS_SECONDS` setting. If your entire site is served only
|
||
over SSL, you may want to consider setting a value and enabling :ref:`HTTP
|
||
Strict Transport Security <http-strict-transport-security>`. Be sure to read
|
||
the documentation first; enabling HSTS carelessly can cause serious,
|
||
irreversible problems.
|
||
* **security.W005**: You have not set the
|
||
:setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` setting to ``True``. Without this,
|
||
your site is potentially vulnerable to attack via an insecure connection to a
|
||
subdomain. Only set this to ``True`` if you are certain that all subdomains of
|
||
your domain should be served exclusively via SSL.
|
||
* **security.W006**: Your :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting is not
|
||
set to ``True``, so your pages will not be served with an
|
||
``'X-Content-Type-Options: nosniff'`` header. You should consider enabling
|
||
this header to prevent the browser from identifying content types incorrectly.
|
||
* **security.W007**: Your :setting:`SECURE_BROWSER_XSS_FILTER` setting is not
|
||
set to ``True``, so your pages will not be served with an
|
||
``'X-XSS-Protection: 1; mode=block'`` header. You should consider enabling
|
||
this header to activate the browser's XSS filtering and help prevent XSS
|
||
attacks. *This check is removed in Django 3.0 as the* ``X-XSS-Protection``
|
||
*header is no longer honored by modern browsers.*
|
||
* **security.W008**: Your :setting:`SECURE_SSL_REDIRECT` setting is not set to
|
||
``True``. Unless your site should be available over both SSL and non-SSL
|
||
connections, you may want to either set this setting to ``True`` or configure
|
||
a load balancer or reverse-proxy server to redirect all connections to HTTPS.
|
||
* **security.W009**: Your :setting:`SECRET_KEY` has less than 50 characters or
|
||
less than 5 unique characters. Please generate a long and random
|
||
``SECRET_KEY``, otherwise many of Django's security-critical features will be
|
||
vulnerable to attack.
|
||
* **security.W010**: You have :mod:`django.contrib.sessions` in your
|
||
:setting:`INSTALLED_APPS` but you have not set
|
||
:setting:`SESSION_COOKIE_SECURE` to ``True``. Using a secure-only session
|
||
cookie makes it more difficult for network traffic sniffers to hijack user
|
||
sessions.
|
||
* **security.W011**: You have
|
||
:class:`django.contrib.sessions.middleware.SessionMiddleware` in your
|
||
:setting:`MIDDLEWARE`, but you have not set :setting:`SESSION_COOKIE_SECURE`
|
||
to ``True``. Using a secure-only session cookie makes it more difficult for
|
||
network traffic sniffers to hijack user sessions.
|
||
* **security.W012**: :setting:`SESSION_COOKIE_SECURE` is not set to ``True``.
|
||
Using a secure-only session cookie makes it more difficult for network traffic
|
||
sniffers to hijack user sessions.
|
||
* **security.W013**: You have :mod:`django.contrib.sessions` in your
|
||
:setting:`INSTALLED_APPS`, but you have not set
|
||
:setting:`SESSION_COOKIE_HTTPONLY` to ``True``. Using an ``HttpOnly`` session
|
||
cookie makes it more difficult for cross-site scripting attacks to hijack user
|
||
sessions.
|
||
* **security.W014**: You have
|
||
:class:`django.contrib.sessions.middleware.SessionMiddleware` in your
|
||
:setting:`MIDDLEWARE`, but you have not set :setting:`SESSION_COOKIE_HTTPONLY`
|
||
to ``True``. Using an ``HttpOnly`` session cookie makes it more difficult for
|
||
cross-site scripting attacks to hijack user sessions.
|
||
* **security.W015**: :setting:`SESSION_COOKIE_HTTPONLY` is not set to ``True``.
|
||
Using an ``HttpOnly`` session cookie makes it more difficult for cross-site
|
||
scripting attacks to hijack user sessions.
|
||
* **security.W016**: :setting:`CSRF_COOKIE_SECURE` is not set to ``True``.
|
||
Using a secure-only CSRF cookie makes it more difficult for network traffic
|
||
sniffers to steal the CSRF token.
|
||
* **security.W017**: :setting:`CSRF_COOKIE_HTTPONLY` is not set to ``True``.
|
||
Using an ``HttpOnly`` CSRF cookie makes it more difficult for cross-site
|
||
scripting attacks to steal the CSRF token. *This check is removed in Django
|
||
1.11 as the* :setting:`CSRF_COOKIE_HTTPONLY` *setting offers no practical
|
||
benefit.*
|
||
* **security.W018**: You should not have :setting:`DEBUG` set to ``True`` in
|
||
deployment.
|
||
* **security.W019**: You have
|
||
:class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
|
||
:setting:`MIDDLEWARE`, but :setting:`X_FRAME_OPTIONS` is not set to
|
||
``'DENY'``. Unless there is a good reason for your site to serve other parts
|
||
of itself in a frame, you should change it to ``'DENY'``.
|
||
* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
|
||
* **security.W021**: You have not set the
|
||
:setting:`SECURE_HSTS_PRELOAD` setting to ``True``. Without this, your site
|
||
cannot be submitted to the browser preload list.
|
||
* **security.W022**: You have not set the :setting:`SECURE_REFERRER_POLICY`
|
||
setting. Without this, your site will not send a Referrer-Policy header. You
|
||
should consider enabling this header to protect user privacy.
|
||
* **security.E023**: You have set the :setting:`SECURE_REFERRER_POLICY` setting
|
||
to an invalid value.
|
||
|
||
The following checks verify that your security-related settings are correctly
|
||
configured:
|
||
|
||
* **security.E100**: :setting:`DEFAULT_HASHING_ALGORITHM` must be ``'sha1'`` or
|
||
``'sha256'``.
|
||
|
||
Signals
|
||
-------
|
||
|
||
* **signals.E001**: ``<handler>`` was connected to the ``<signal>`` signal with
|
||
a lazy reference to the sender ``<app label>.<model>``, but app ``<app label>``
|
||
isn't installed or doesn't provide model ``<model>``.
|
||
|
||
Templates
|
||
---------
|
||
|
||
The following checks verify that your :setting:`TEMPLATES` setting is correctly
|
||
configured:
|
||
|
||
* **templates.E001**: You have ``'APP_DIRS': True`` in your
|
||
:setting:`TEMPLATES` but also specify ``'loaders'`` in ``OPTIONS``. Either
|
||
remove ``APP_DIRS`` or remove the ``'loaders'`` option.
|
||
* **templates.E002**: ``string_if_invalid`` in :setting:`TEMPLATES`
|
||
:setting:`OPTIONS <TEMPLATES-OPTIONS>` must be a string but got: ``{value}``
|
||
(``{type}``).
|
||
|
||
Translation
|
||
-----------
|
||
|
||
The following checks are performed on your translation configuration:
|
||
|
||
* **translation.E001**: You have provided an invalid value for the
|
||
:setting:`LANGUAGE_CODE` setting: ``<value>``.
|
||
* **translation.E002**: You have provided an invalid language code in the
|
||
:setting:`LANGUAGES` setting: ``<value>``.
|
||
* **translation.E003**: You have provided an invalid language code in the
|
||
:setting:`LANGUAGES_BIDI` setting: ``<value>``.
|
||
* **translation.E004**: You have provided a value for the
|
||
:setting:`LANGUAGE_CODE` setting that is not in the :setting:`LANGUAGES`
|
||
setting.
|
||
|
||
URLs
|
||
----
|
||
|
||
The following checks are performed on your URL configuration:
|
||
|
||
* **urls.W001**: Your URL pattern ``<pattern>`` uses
|
||
:func:`~django.urls.include` with a ``route`` ending with a ``$``. Remove the
|
||
dollar from the ``route`` to avoid problems including URLs.
|
||
* **urls.W002**: Your URL pattern ``<pattern>`` has a ``route`` beginning with
|
||
a ``/``. Remove this slash as it is unnecessary. If this pattern is targeted
|
||
in an :func:`~django.urls.include`, ensure the :func:`~django.urls.include`
|
||
pattern has a trailing ``/``.
|
||
* **urls.W003**: Your URL pattern ``<pattern>`` has a ``name``
|
||
including a ``:``. Remove the colon, to avoid ambiguous namespace
|
||
references.
|
||
* **urls.E004**: Your URL pattern ``<pattern>`` is invalid. Ensure that
|
||
``urlpatterns`` is a list of :func:`~django.urls.path` and/or
|
||
:func:`~django.urls.re_path` instances.
|
||
* **urls.W005**: URL namespace ``<namespace>`` isn't unique. You may not be
|
||
able to reverse all URLs in this namespace.
|
||
* **urls.E006**: The :setting:`MEDIA_URL`/ :setting:`STATIC_URL` setting must
|
||
end with a slash.
|
||
* **urls.E007**: The custom ``handlerXXX`` view ``'path.to.view'`` does not
|
||
take the correct number of arguments (…).
|
||
* **urls.E008**: The custom ``handlerXXX`` view ``'path.to.view'`` could not be
|
||
imported.
|
||
|
||
``contrib`` app checks
|
||
======================
|
||
|
||
``admin``
|
||
---------
|
||
|
||
Admin checks are all performed as part of the ``admin`` tag.
|
||
|
||
The following checks are performed on any
|
||
:class:`~django.contrib.admin.ModelAdmin` (or subclass) that is registered
|
||
with the admin site:
|
||
|
||
* **admin.E001**: The value of ``raw_id_fields`` must be a list or tuple.
|
||
* **admin.E002**: The value of ``raw_id_fields[n]`` refers to ``<field name>``,
|
||
which is not an attribute of ``<model>``.
|
||
* **admin.E003**: The value of ``raw_id_fields[n]`` must be a foreign key or
|
||
a many-to-many field.
|
||
* **admin.E004**: The value of ``fields`` must be a list or tuple.
|
||
* **admin.E005**: Both ``fieldsets`` and ``fields`` are specified.
|
||
* **admin.E006**: The value of ``fields`` contains duplicate field(s).
|
||
* **admin.E007**: The value of ``fieldsets`` must be a list or tuple.
|
||
* **admin.E008**: The value of ``fieldsets[n]`` must be a list or tuple.
|
||
* **admin.E009**: The value of ``fieldsets[n]`` must be of length 2.
|
||
* **admin.E010**: The value of ``fieldsets[n][1]`` must be a dictionary.
|
||
* **admin.E011**: The value of ``fieldsets[n][1]`` must contain the key
|
||
``fields``.
|
||
* **admin.E012**: There are duplicate field(s) in ``fieldsets[n][1]``.
|
||
* **admin.E013**: ``fields[n]/fieldsets[n][m]`` cannot include the
|
||
``ManyToManyField`` ``<field name>``, because that field manually specifies a
|
||
relationship model.
|
||
* **admin.E014**: The value of ``exclude`` must be a list or tuple.
|
||
* **admin.E015**: The value of ``exclude`` contains duplicate field(s).
|
||
* **admin.E016**: The value of ``form`` must inherit from ``BaseModelForm``.
|
||
* **admin.E017**: The value of ``filter_vertical`` must be a list or tuple.
|
||
* **admin.E018**: The value of ``filter_horizontal`` must be a list or tuple.
|
||
* **admin.E019**: The value of ``filter_vertical[n]/filter_vertical[n]`` refers
|
||
to ``<field name>``, which is not an attribute of ``<model>``.
|
||
* **admin.E020**: The value of ``filter_vertical[n]/filter_vertical[n]`` must
|
||
be a many-to-many field.
|
||
* **admin.E021**: The value of ``radio_fields`` must be a dictionary.
|
||
* **admin.E022**: The value of ``radio_fields`` refers to ``<field name>``,
|
||
which is not an attribute of ``<model>``.
|
||
* **admin.E023**: The value of ``radio_fields`` refers to ``<field name>``,
|
||
which is not a ``ForeignKey``, and does not have a ``choices`` definition.
|
||
* **admin.E024**: The value of ``radio_fields[<field name>]`` must be either
|
||
``admin.HORIZONTAL`` or ``admin.VERTICAL``.
|
||
* **admin.E025**: The value of ``view_on_site`` must be either a callable or a
|
||
boolean value.
|
||
* **admin.E026**: The value of ``prepopulated_fields`` must be a dictionary.
|
||
* **admin.E027**: The value of ``prepopulated_fields`` refers to
|
||
``<field name>``, which is not an attribute of ``<model>``.
|
||
* **admin.E028**: The value of ``prepopulated_fields`` refers to
|
||
``<field name>``, which must not be a ``DateTimeField``, a ``ForeignKey``,
|
||
a ``OneToOneField``, or a ``ManyToManyField`` field.
|
||
* **admin.E029**: The value of ``prepopulated_fields[<field name>]`` must be a
|
||
list or tuple.
|
||
* **admin.E030**: The value of ``prepopulated_fields`` refers to
|
||
``<field name>``, which is not an attribute of ``<model>``.
|
||
* **admin.E031**: The value of ``ordering`` must be a list or tuple.
|
||
* **admin.E032**: The value of ``ordering`` has the random ordering marker
|
||
``?``, but contains other fields as well.
|
||
* **admin.E033**: The value of ``ordering`` refers to ``<field name>``, which
|
||
is not an attribute of ``<model>``.
|
||
* **admin.E034**: The value of ``readonly_fields`` must be a list or tuple.
|
||
* **admin.E035**: The value of ``readonly_fields[n]`` is not a callable, an
|
||
attribute of ``<ModelAdmin class>``, or an attribute of ``<model>``.
|
||
* **admin.E036**: The value of ``autocomplete_fields`` must be a list or tuple.
|
||
* **admin.E037**: The value of ``autocomplete_fields[n]`` refers to
|
||
``<field name>``, which is not an attribute of ``<model>``.
|
||
* **admin.E038**: The value of ``autocomplete_fields[n]`` must be a foreign
|
||
key or a many-to-many field.
|
||
* **admin.E039**: An admin for model ``<model>`` has to be registered to be
|
||
referenced by ``<modeladmin>.autocomplete_fields``.
|
||
* **admin.E040**: ``<modeladmin>`` must define ``search_fields``, because
|
||
it's referenced by ``<other_modeladmin>.autocomplete_fields``.
|
||
|
||
``ModelAdmin``
|
||
~~~~~~~~~~~~~~
|
||
|
||
The following checks are performed on any
|
||
:class:`~django.contrib.admin.ModelAdmin` that is registered
|
||
with the admin site:
|
||
|
||
* **admin.E101**: The value of ``save_as`` must be a boolean.
|
||
* **admin.E102**: The value of ``save_on_top`` must be a boolean.
|
||
* **admin.E103**: The value of ``inlines`` must be a list or tuple.
|
||
* **admin.E104**: ``<InlineModelAdmin class>`` must inherit from
|
||
``InlineModelAdmin``.
|
||
* **admin.E105**: ``<InlineModelAdmin class>`` must have a ``model`` attribute.
|
||
* **admin.E106**: The value of ``<InlineModelAdmin class>.model`` must be a
|
||
``Model``.
|
||
* **admin.E107**: The value of ``list_display`` must be a list or tuple.
|
||
* **admin.E108**: The value of ``list_display[n]`` refers to ``<label>``,
|
||
which is not a callable, an attribute of ``<ModelAdmin class>``, or an
|
||
attribute or method on ``<model>``.
|
||
* **admin.E109**: The value of ``list_display[n]`` must not be a
|
||
``ManyToManyField`` field.
|
||
* **admin.E110**: The value of ``list_display_links`` must be a list, a tuple,
|
||
or ``None``.
|
||
* **admin.E111**: The value of ``list_display_links[n]`` refers to ``<label>``,
|
||
which is not defined in ``list_display``.
|
||
* **admin.E112**: The value of ``list_filter`` must be a list or tuple.
|
||
* **admin.E113**: The value of ``list_filter[n]`` must inherit from
|
||
``ListFilter``.
|
||
* **admin.E114**: The value of ``list_filter[n]`` must not inherit from
|
||
``FieldListFilter``.
|
||
* **admin.E115**: The value of ``list_filter[n][1]`` must inherit from
|
||
``FieldListFilter``.
|
||
* **admin.E116**: The value of ``list_filter[n]`` refers to ``<label>``,
|
||
which does not refer to a Field.
|
||
* **admin.E117**: The value of ``list_select_related`` must be a boolean,
|
||
tuple or list.
|
||
* **admin.E118**: The value of ``list_per_page`` must be an integer.
|
||
* **admin.E119**: The value of ``list_max_show_all`` must be an integer.
|
||
* **admin.E120**: The value of ``list_editable`` must be a list or tuple.
|
||
* **admin.E121**: The value of ``list_editable[n]`` refers to ``<label>``,
|
||
which is not an attribute of ``<model>``.
|
||
* **admin.E122**: The value of ``list_editable[n]`` refers to ``<label>``,
|
||
which is not contained in ``list_display``.
|
||
* **admin.E123**: The value of ``list_editable[n]`` cannot be in both
|
||
``list_editable`` and ``list_display_links``.
|
||
* **admin.E124**: The value of ``list_editable[n]`` refers to the first field
|
||
in ``list_display`` (``<label>``), which cannot be used unless
|
||
``list_display_links`` is set.
|
||
* **admin.E125**: The value of ``list_editable[n]`` refers to ``<field name>``,
|
||
which is not editable through the admin.
|
||
* **admin.E126**: The value of ``search_fields`` must be a list or tuple.
|
||
* **admin.E127**: The value of ``date_hierarchy`` refers to ``<field name>``,
|
||
which does not refer to a Field.
|
||
* **admin.E128**: The value of ``date_hierarchy`` must be a ``DateField`` or
|
||
``DateTimeField``.
|
||
* **admin.E129**: ``<modeladmin>`` must define a ``has_<foo>_permission()``
|
||
method for the ``<action>`` action.
|
||
* **admin.E130**: ``__name__`` attributes of actions defined in
|
||
``<modeladmin>`` must be unique. Name ``<name>`` is not unique.
|
||
|
||
``InlineModelAdmin``
|
||
~~~~~~~~~~~~~~~~~~~~
|
||
|
||
The following checks are performed on any
|
||
:class:`~django.contrib.admin.InlineModelAdmin` that is registered as an
|
||
inline on a :class:`~django.contrib.admin.ModelAdmin`.
|
||
|
||
* **admin.E201**: Cannot exclude the field ``<field name>``, because it is the
|
||
foreign key to the parent model ``<app_label>.<model>``.
|
||
* **admin.E202**: ``<model>`` has no ``ForeignKey`` to ``<parent model>``./
|
||
``<model>`` has more than one ``ForeignKey`` to ``<parent model>``. You must
|
||
specify a ``fk_name`` attribute.
|
||
* **admin.E203**: The value of ``extra`` must be an integer.
|
||
* **admin.E204**: The value of ``max_num`` must be an integer.
|
||
* **admin.E205**: The value of ``min_num`` must be an integer.
|
||
* **admin.E206**: The value of ``formset`` must inherit from
|
||
``BaseModelFormSet``.
|
||
|
||
``GenericInlineModelAdmin``
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
The following checks are performed on any
|
||
:class:`~django.contrib.contenttypes.admin.GenericInlineModelAdmin` that is
|
||
registered as an inline on a :class:`~django.contrib.admin.ModelAdmin`.
|
||
|
||
* **admin.E301**: ``'ct_field'`` references ``<label>``, which is not a field
|
||
on ``<model>``.
|
||
* **admin.E302**: ``'ct_fk_field'`` references ``<label>``, which is not a
|
||
field on ``<model>``.
|
||
* **admin.E303**: ``<model>`` has no ``GenericForeignKey``.
|
||
* **admin.E304**: ``<model>`` has no ``GenericForeignKey`` using content type
|
||
field ``<field name>`` and object ID field ``<field name>``.
|
||
|
||
``AdminSite``
|
||
~~~~~~~~~~~~~
|
||
|
||
The following checks are performed on the default
|
||
:class:`~django.contrib.admin.AdminSite`:
|
||
|
||
* **admin.E401**: :mod:`django.contrib.contenttypes` must be in
|
||
:setting:`INSTALLED_APPS` in order to use the admin application.
|
||
* **admin.E402**: :mod:`django.contrib.auth.context_processors.auth`
|
||
must be enabled in :class:`~django.template.backends.django.DjangoTemplates`
|
||
(:setting:`TEMPLATES`) if using the default auth backend in order to use the
|
||
admin application.
|
||
* **admin.E403**: A :class:`django.template.backends.django.DjangoTemplates`
|
||
instance must be configured in :setting:`TEMPLATES` in order to use the
|
||
admin application.
|
||
* **admin.E404**: ``django.contrib.messages.context_processors.messages``
|
||
must be enabled in :class:`~django.template.backends.django.DjangoTemplates`
|
||
(:setting:`TEMPLATES`) in order to use the admin application.
|
||
* **admin.E405**: :mod:`django.contrib.auth` must be in
|
||
:setting:`INSTALLED_APPS` in order to use the admin application.
|
||
* **admin.E406**: :mod:`django.contrib.messages` must be in
|
||
:setting:`INSTALLED_APPS` in order to use the admin application.
|
||
* **admin.E408**:
|
||
:class:`django.contrib.auth.middleware.AuthenticationMiddleware` must be in
|
||
:setting:`MIDDLEWARE` in order to use the admin application.
|
||
* **admin.E409**: :class:`django.contrib.messages.middleware.MessageMiddleware`
|
||
must be in :setting:`MIDDLEWARE` in order to use the admin application.
|
||
* **admin.E410**: :class:`django.contrib.sessions.middleware.SessionMiddleware`
|
||
must be in :setting:`MIDDLEWARE` in order to use the admin application.
|
||
* **admin.W411**: ``django.template.context_processors.request`` must be
|
||
enabled in :class:`~django.template.backends.django.DjangoTemplates`
|
||
(:setting:`TEMPLATES`) in order to use the admin navigation sidebar.
|
||
|
||
``auth``
|
||
--------
|
||
|
||
* **auth.E001**: ``REQUIRED_FIELDS`` must be a list or tuple.
|
||
* **auth.E002**: The field named as the ``USERNAME_FIELD`` for a custom user
|
||
model must not be included in ``REQUIRED_FIELDS``.
|
||
* **auth.E003**: ``<field>`` must be unique because it is named as the
|
||
``USERNAME_FIELD``.
|
||
* **auth.W004**: ``<field>`` is named as the ``USERNAME_FIELD``, but it is not
|
||
unique.
|
||
* **auth.E005**: The permission codenamed ``<codename>`` clashes with a builtin
|
||
permission for model ``<model>``.
|
||
* **auth.E006**: The permission codenamed ``<codename>`` is duplicated for model
|
||
``<model>``.
|
||
* **auth.E007**: The :attr:`verbose_name
|
||
<django.db.models.Options.verbose_name>` of model ``<model>`` must be at most
|
||
244 characters for its builtin permission names
|
||
to be at most 255 characters.
|
||
* **auth.E008**: The permission named ``<name>`` of model ``<model>`` is longer
|
||
than 255 characters.
|
||
* **auth.C009**: ``<User model>.is_anonymous`` must be an attribute or property
|
||
rather than a method. Ignoring this is a security issue as anonymous users
|
||
will be treated as authenticated!
|
||
* **auth.C010**: ``<User model>.is_authenticated`` must be an attribute or
|
||
property rather than a method. Ignoring this is a security issue as anonymous
|
||
users will be treated as authenticated!
|
||
* **auth.E011**: The name of model ``<model>`` must be at most 93 characters
|
||
for its builtin permission names to be at most 100 characters.
|
||
* **auth.E012**: The permission codenamed ``<codename>`` of model ``<model>``
|
||
is longer than 100 characters.
|
||
|
||
``contenttypes``
|
||
----------------
|
||
|
||
The following checks are performed when a model contains a
|
||
:class:`~django.contrib.contenttypes.fields.GenericForeignKey` or
|
||
:class:`~django.contrib.contenttypes.fields.GenericRelation`:
|
||
|
||
* **contenttypes.E001**: The ``GenericForeignKey`` object ID references the
|
||
nonexistent field ``<field>``.
|
||
* **contenttypes.E002**: The ``GenericForeignKey`` content type references the
|
||
nonexistent field ``<field>``.
|
||
* **contenttypes.E003**: ``<field>`` is not a ``ForeignKey``.
|
||
* **contenttypes.E004**: ``<field>`` is not a ``ForeignKey`` to
|
||
``contenttypes.ContentType``.
|
||
* **contenttypes.E005**: Model names must be at most 100 characters.
|
||
|
||
``postgres``
|
||
------------
|
||
|
||
The following checks are performed on :mod:`django.contrib.postgres` model
|
||
fields:
|
||
|
||
* **postgres.E001**: Base field for array has errors: ...
|
||
* **postgres.E002**: Base field for array cannot be a related field.
|
||
* **postgres.E003**: ``<field>`` default should be a callable instead of an
|
||
instance so that it's not shared between all field instances. *This check was
|
||
changed to* ``fields.E010`` *in Django 3.1*.
|
||
|
||
``sites``
|
||
---------
|
||
|
||
The following checks are performed on any model using a
|
||
:class:`~django.contrib.sites.managers.CurrentSiteManager`:
|
||
|
||
* **sites.E001**: ``CurrentSiteManager`` could not find a field named
|
||
``<field name>``.
|
||
* **sites.E002**: ``CurrentSiteManager`` cannot use ``<field>`` as it is not a
|
||
foreign key or a many-to-many field.
|
||
|
||
The following checks verify that :mod:`django.contrib.sites` is correctly
|
||
configured:
|
||
|
||
* **sites.E101**: The :setting:`SITE_ID` setting must be an integer.
|
||
|
||
``staticfiles``
|
||
---------------
|
||
|
||
The following checks verify that :mod:`django.contrib.staticfiles` is correctly
|
||
configured:
|
||
|
||
* **staticfiles.E001**: The :setting:`STATICFILES_DIRS` setting is not a tuple
|
||
or list.
|
||
* **staticfiles.E002**: The :setting:`STATICFILES_DIRS` setting should not
|
||
contain the :setting:`STATIC_ROOT` setting.
|
||
* **staticfiles.E003**: The prefix ``<prefix>`` in the
|
||
:setting:`STATICFILES_DIRS` setting must not end with a slash.
|