How to Securely Deploy Your Django Application to Heroku

Securely Deploy Django to Heroku

It is important to prioritize security always when deploying your application, especially if your application retains client data.

When building Django applications, you need to take some steps and make some changes to the application setup before deploying.

In this tutorial, I will take you through the steps you should follow to ensure your application is more secure when deploying. Some of these steps will be specific to just deploying to Heroku. But even if you aren’t using Heroku, you will be able to adapt the tips given here.

Heroku is basically a platform-as-a-service (PaaS) where you can deploy, manage, and scale modern apps. They support several programming languages, including Python, the language upon which Django is based. Heroku makes deployment using git really easy, so that is what we will be using in this tutorial.

For your convenience, the code will be available on a git repository.


  1. Basic knowledge of Django
  2. Basic Knowledge of Git

Setting Up Django

This tutorial is going to lay down the steps for a basic “Hello World” Django application. This will be sufficient to provide you with a rundown of the build process.

First of all, install Django if you haven’t—$ pip install django.

Create a folder for your project. On your terminal, navigate to the directory you just created and run $ django-admin startproject Hello.

You’ll see that the Django base files have been created.

Next, running $ python runserver should run your server on and show you this:

what the Django website will look like after you have created the Django base files

Create in the folder where is and put the code below to display “Hello world!” on the homepage.

Then, open your file and update it to look like this:

Preparing Your Application for Deployment

First, you have to create a Procfile. This file must be in the same directory is in. The following code will be contained in that file.

In case you are working on another project, Hello.wsgi is the path to my wsgi file. Replace that with the path to your wsgi file.

Now create the requirement.txt file and put the following dependencies: Django & gunicorn.

Next, we have to tell Heroku the version of Python on which our application should run. We will do that in a runtime.txt file. Make sure to check which Python versions are supported by Heroku first. After creating the file, input the following: python-3.8.11

Setup Heroku

First, install the Heroku CLI.

Log in to your Heroku account and follow the prompts to create a new SSH public key.

Now login to Heroku with:

$ heroku login

Next, initialize a git repository in the root of your project, i.e., where the file is.

$ git init

Inside the project root, create an app on Heroku:

heroku create hello-security-app

You can replace hello-security-app with whatever you wish to name your application.

To store your code in a remote Git repository in Heroku, run:

$ heroku git:remote -a hello-security-app

Now, go to the Heroku Dashboard, and you will see that your application has been created successfully. 

Security Updates

What we have to do now is hide our Django secret key. Attackers can do significant damage if the key is left exposed, so it should always be hidden.

Heroku provides a feature for us to be able to do that. 

What you need to do is add import os to the top of your file and change your secret key SECRET_KEY = xxxxxxxxxxxxxxxx  to look like this:  SECRET_KEY = os.environ.get(‘SECRET_KEY’)

If you have your database set up or you have any API keys in your settings folder, make sure you turn them into the form above.

E.g API_KEY = os.environ.get(‘API_KEY’)

Now, go to the Heroku dashboard and click on the application you just created. Then, go to the “settings” tab. You should see the “Reveal Config Vars” button. Click on it.

the Heroku dashboard with the “reveal config vars” button at the bottom of the settings screen

In there, you can input your secret key or any API keys you have and click on “Add”. Your keys are protected by Heroku now.

the config vars screen where you can enter your secret key so that it is protected by Heroku and not viewable as part of your source code

Finally, in your file, make sure DEBUG = False.

Then add “” to allowed host like this:


Disable collectstatic for this application by running: 

$ heroku config:set DISABLE_COLLECTSTATIC=1 (this is required by Heroku).

Commit and push your code to Heroku.

Now, go to your app on the Heroku dashboard and click on the Open App button. You will see your application displayed.

At the moment, our application will open if we remove the ‘s’ in “https://”

the application can be accessed using the http protocol as well and not just the https protocol, making the application insecure and vulnerable to attacks

That is a security flaw because malicious network users can get or alter information transferred between client and server. This should be fixed. 

You are going to make it so that when “http://” is typed, the visitor of the site is redirected to “https://”. To do that, go to the end of your  file and add the code below:

There are Django docs available where you can learn more about this.

Commit and push your changes to Heroku.

Try going to your application with “http://”. It should redirect you to “https://”.


In this article, I have talked about how you can secure your project when deploying it to Heroku.

As mentioned earlier, security should not be overlooked. It will protect your application from being hacked and prevent valuable information from getting into the wrong hands. Therefore, it is advisable that you go through this article and don’t bypass any of the steps.

The goal of this article is to demonstrate how you can securely deploy your application to Heroku with ease. Hopefully, this will be sufficient for you to understand how to implement this security in your own project.