Programming • Jan 27, 2026 • Cliff

Building A Django SaaS Application (Part 5.1) – Code Review Improvements

Tags: Python, Django, Development, SaaS, Web Development, Security, Code Review, Production, Best Practices, Tutorial

Building a Django SaaS App

Or The Django SaaS Mega-Tutorial

Tutorial 005.1 – Code Review Improvements

After tutorial-005, we decided that it was time to conduct a code review. We recommend doing thorough code reviews periodically and addressing any issues identifid.

This short addendum captures the production-hardening changes applied after the code review. It’s meant as a companion to the earlier tutorials.

See the code review.

What we hardened

1) Security headers for production - Added HTTPS-only protections when DEBUG=False: HSTS (1 year, preload, include subdomains), secure cookies, SSL redirect, basic CSP for CDN assets, and browser XSS filter. - Enforced DJANGO_ALLOWED_HOSTS must be set in production.

2) Safer proxy handling - Introduced TRUST_PROXY_HEADERS env flag and only honor X-Forwarded-For when it is true. - Validate client IPs with validate_ipv46_address; discard malformed values.

3) Health check opacity - Health endpoint now returns minimal JSON ({"status": "ok"} or {"status": "error"}) while still probing DB connectivity. No internal details are exposed.

4) Click analytics performance - Link detail view now aggregates clicks entirely in the database and limits results (top referrers/agents, recent clicks selecting only needed fields). Prevents memory blowups for high-traffic links.

5) Slug robustness - Slugs validated to lowercase letters, numbers, hyphens, underscores; generation length increased to 10 with bounded retries and clear error on exhaustion. - Form input slugs normalized to lowercase; uniqueness stays per-user.

6) Logging hygiene - Scrubbed sensitive data (emails/usernames) from auth logs; retain only user_id for auditing. Failed login logs no longer echo user input.

7) Admin status - Custom admin for CustomUser already present (list display, filters, search, fieldsets). Optional: add date_joined to list_display/readonly_fields if you want that column.

What’s deferred

Rate limiting for login and password reset will be covered in a future tutorial.

Quick verification commands

# Core tests including the updated health check expectations
python manage.py test core.tests.HealthCheckTests

# Link app tests for slug and analytics behavior
python manage.py test links

Environment flags to remember

DJANGO_ALLOWED_HOSTS (required when DEBUG=False)
TRUST_PROXY_HEADERS (set to true only when behind a trusted proxy/load balancer)

Takeaway

These changes lock down surface area, improve resilience under load, and reduce data leakage. They’re safe defaults for moving toward production while keeping the tutorial code lean.

We build software the same way we write about it: Robust. Tested. Correct.

At McIndi Solutions, we specialize in mission-critical modernization and high-security platforms for healthcare and finance. Whether you need a fractional CTO to guide your architecture or a senior engineering team to unblock a complex automation challenge, we are available for advisory and hands-on engagements.

Email us at sales@mcindi.com to discuss your project.

← Back to Blog