Django Settings Deep Dive

settings.py is the heart of your Django project. It controls everything from database connections to security settings to static file paths. Understanding key settings is essential for both development and production.

20 min•By Priygop Team•Updated 2026

Key Settings

DEBUG — True for development, False for production
SECRET_KEY — Cryptographic key for sessions, tokens, CSRF
ALLOWED_HOSTS — Domains allowed to serve the app
INSTALLED_APPS — List of active Django apps
DATABASES — Database engine, name, host, port, credentials
MIDDLEWARE — Request/response processing hooks
TEMPLATES — Template engine configuration
STATIC_URL / STATICFILES_DIRS — Static file configuration
MEDIA_URL / MEDIA_ROOT — User-uploaded file configuration
LANGUAGE_CODE / TIME_ZONE — Localization settings

Settings Example

# mysite/settings.py — Important settings explained

# import os
# from pathlib import Path
# BASE_DIR = Path(__file__).resolve().parent.parent

# SECURITY
# SECRET_KEY = 'your-secret-key-here'  # Change in production!
# DEBUG = True  # NEVER True in production
# ALLOWED_HOSTS = []  # Add domain in production: ['example.com']

# DATABASES — SQLite (default) or PostgreSQL
# DATABASES = {
#     'default': {
#         'ENGINE': 'django.db.backends.sqlite3',
#         'NAME': BASE_DIR / 'db.sqlite3',
#     }
# }
# For PostgreSQL:
# DATABASES = {
#     'default': {
#         'ENGINE': 'django.db.backends.postgresql',
#         'NAME': 'mydb',
#         'USER': 'myuser',
#         'PASSWORD': 'mypassword',
#         'HOST': 'localhost',
#         'PORT': '5432',
#     }
# }

# STATIC FILES
# STATIC_URL = '/static/'
# STATICFILES_DIRS = [BASE_DIR / 'static']

# MEDIA FILES (user uploads)
# MEDIA_URL = '/media/'
# MEDIA_ROOT = BASE_DIR / 'media'

# LOCALIZATION
# LANGUAGE_CODE = 'en-us'
# TIME_ZONE = 'UTC'

Tip

Use DEBUG=True only in development. In production, set DEBUG=False and configure ALLOWED_HOSTS, SECRET_KEY from environment variables.

Diagram

Loading diagram…

QuerySets are LAZY — no DB hit until evaluated.

Common Mistake

Warning

Committing SECRET_KEY to version control. Generate a unique key and store it in environment variables or a .env file.

Practice Task

Note

(1) Move SECRET_KEY to an env variable. (2) Set DEBUG=False and add ALLOWED_HOSTS. (3) Test with python manage.py check --deploy.

Quick Quiz

Key Takeaways

DEBUG — True for development, False for production
SECRET_KEY — Cryptographic key for sessions, tokens, CSRF
ALLOWED_HOSTS — Domains allowed to serve the app

Topics in This Module

Key Settings

DEBUG — True for development, False for production

SECRET_KEY — Cryptographic key for sessions, tokens, CSRF

ALLOWED_HOSTS — Domains allowed to serve the app

INSTALLED_APPS — List of active Django apps

DATABASES — Database engine, name, host, port, credentials

MIDDLEWARE — Request/response processing hooks

TEMPLATES — Template engine configuration

STATIC_URL / STATICFILES_DIRS — Static file configuration

MEDIA_URL / MEDIA_ROOT — User-uploaded file configuration

LANGUAGE_CODE / TIME_ZONE — Localization settings

Settings Example

# mysite/settings.py — Important settings explained

# import os
# from pathlib import Path
# BASE_DIR = Path(__file__).resolve().parent.parent

# SECURITY
# SECRET_KEY = 'your-secret-key-here'  # Change in production!
# DEBUG = True  # NEVER True in production
# ALLOWED_HOSTS = []  # Add domain in production: ['example.com']

# DATABASES — SQLite (default) or PostgreSQL
# DATABASES = {
#     'default': {
#         'ENGINE': 'django.db.backends.sqlite3',
#         'NAME': BASE_DIR / 'db.sqlite3',
#     }
# }
# For PostgreSQL:
# DATABASES = {
#     'default': {
#         'ENGINE': 'django.db.backends.postgresql',
#         'NAME': 'mydb',
#         'USER': 'myuser',
#         'PASSWORD': 'mypassword',
#         'HOST': 'localhost',
#         'PORT': '5432',
#     }
# }

# STATIC FILES
# STATIC_URL = '/static/'
# STATICFILES_DIRS = [BASE_DIR / 'static']

# MEDIA FILES (user uploads)
# MEDIA_URL = '/media/'
# MEDIA_ROOT = BASE_DIR / 'media'

# LOCALIZATION
# LANGUAGE_CODE = 'en-us'
# TIME_ZONE = 'UTC'

Tip

Use DEBUG=True only in development. In production, set DEBUG=False and configure ALLOWED_HOSTS, SECRET_KEY from environment variables.

Diagram

Loading diagram…

QuerySets are LAZY — no DB hit until evaluated.

Topics in This Module