How Middleware Works in Django

Middleware are hooks that process requests and responses globally â€” before and after views execute. They form a chain: each request passes through middleware going in, and the response passes back out. Authentication, sessions, CSRF, and security are all implemented as middleware.

15 min•By Priygop Team•Updated 2026

Middleware Concepts

Middleware processes EVERY request/response
Executed in order (settings.MIDDLEWARE list)
Request flows TOP â†’ DOWN through middleware
Response flows BOTTOM â†’ UP through middleware
Each middleware can modify request, response, or short-circuit
Built-in: SecurityMiddleware, SessionMiddleware, AuthenticationMiddleware
process_request â†’ view â†’ process_response (simplified flow)

Middleware Flow

# settings.py â€” Middleware order matters!
# MIDDLEWARE = [
#     'django.middleware.security.SecurityMiddleware',         # 1. Security headers
#     'django.contrib.sessions.middleware.SessionMiddleware',  # 2. Sessions
#     'django.middleware.common.CommonMiddleware',             # 3. URL normalization
#     'django.middleware.csrf.CsrfViewMiddleware',             # 4. CSRF protection
#     'django.contrib.auth.middleware.AuthenticationMiddleware', # 5. Auth
#     'django.contrib.messages.middleware.MessageMiddleware',  # 6. Messages
#     'django.middleware.clickjacking.XFrameOptionsMiddleware', # 7. Clickjacking
# ]

# Request/Response flow:
# Client Request
#   â†’ SecurityMiddleware (request)
#     â†’ SessionMiddleware (request)
#       â†’ CommonMiddleware (request)
#         â†’ CsrfViewMiddleware (request)
#           â†’ AuthenticationMiddleware (request)
#             â†’ View (processes request, returns response)
#           â†’ AuthenticationMiddleware (response)
#         â†’ CsrfViewMiddleware (response)
#       â†’ CommonMiddleware (response)
#     â†’ SessionMiddleware (response)
#   â†’ SecurityMiddleware (response)
# Client Response

Tip

Middleware processes EVERY request/response. Order in MIDDLEWARE list matters — SecurityMiddleware should be first, CSRF before auth.

Diagram

Loading diagram…

QuerySets are LAZY — no DB hit until evaluated.

Common Mistake

Warning

Middleware order matters! SecurityMiddleware must come first. SessionMiddleware must come before AuthenticationMiddleware.

Practice Task

Note

(1) Create a timing middleware that logs request duration. (2) Add it to MIDDLEWARE. (3) Check the order is correct.

Quick Quiz

Key Takeaways

Middleware are hooks that process requests and responses globally â€” before and after views execute.
Middleware processes EVERY request/response
Executed in order (settings.MIDDLEWARE list)
Request flows TOP â†’ DOWN through middleware

Topics in This Module

How Middleware Works in Django

15 min•By Priygop Team•Updated 2026

Middleware Concepts

Middleware processes EVERY request/response

Executed in order (settings.MIDDLEWARE list)

Request flows TOP â†’ DOWN through middleware

Response flows BOTTOM â†’ UP through middleware

Each middleware can modify request, response, or short-circuit

Built-in: SecurityMiddleware, SessionMiddleware, AuthenticationMiddleware

process_request â†’ view â†’ process_response (simplified flow)