The system check framework is a set of static checks for validating Django projects. It detects common problems and provides hints for how to fix them. The framework is extensible so you can easily add your own checks.
For details on how to add your own checks and integrate them with Django’s system checks, see the System check topic guide.
CheckMessage¶CheckMessage(level, msg, hint=None, obj=None, id=None)¶The warnings and errors raised by system checks must be instances of
CheckMessage. An instance encapsulates a single reportable error or
warning. It also provides context and hints applicable to the message, and a
unique identifier that is used for filtering purposes.
Constructor arguments are:
levelDEBUG,
INFO, WARNING, ERROR, CRITICAL. If the level is greater or
equal to ERROR, then Django will prevent management commands from
executing. Messages with level lower than ERROR (i.e. warnings) are
reported to the console, but can be silenced.msghintNone can be used.obj__str__() method.
The method is used while reporting all messages and its result precedes the
message.idapplabel.X001, where X is one of the letters
CEWID, indicating the message severity (C for criticals, E for
errors and so). The number can be allocated by the application, but should
be unique within that application.There are subclasses to make creating messages with common levels easier. When
using them you can omit the level argument because it is implied by the
class name.
Debug(msg, hint=None, obj=None, id=None)¶Info(msg, hint=None, obj=None, id=None)¶Warning(msg, hint=None obj=None, id=None)¶Error(msg, hint=None, obj=None, id=None)¶Critical(msg, hint=None, obj=None, id=None)¶Django’s system checks are organized using the following tags:
admin: Checks of any admin site declarations.async_support: Checks asynchronous-related configuration.caches: Checks cache related configuration.compatibility: Flags potential problems with version upgrades.database: Checks database-related configuration issues. Database checks
are not run by default because they do more than static code analysis as
regular checks do. They are only run by the migrate command or if
you specify configured database aliases using the --database option when
calling the check command.models: Checks of model, field, and manager definitions.security: Checks security related configuration.signals: Checks on signal declarations and handler registrations.sites: Checks django.contrib.sites configuration.staticfiles: Checks django.contrib.staticfiles configuration.templates: Checks template related configuration.translation: Checks translation related configuration.urls: Checks URL configuration.Some checks may be registered with multiple tags.
The async_support tag was added.
The database checks are now run only for database aliases specified
using the check --database option.
The sites tag was added.
The following checks verify your setup for Asynchronous support:
DJANGO_ALLOW_ASYNC_UNSAFE
environment variable in deployment. This disables async safety
protection.Compatibility checks warn of potential problems that might occur after upgrading Django.
<pattern> has a route that contains
(?P<, begins with a ^, or ends with a $. This was likely an
oversight when migrating from url() to path().The following checks verify that your CACHES setting is correctly
configured:
'default' cache in your
CACHES setting.<cache> configuration might expose your cache or
lead to corruption of your data because its
LOCATION matches/is inside/contains
MEDIA_ROOT/STATIC_ROOT/STATICFILES_DIRS.<cache> cache LOCATION
is relative. Use an absolute path instead.If you’re using MySQL or MariaDB, the following checks will be performed:
CharFields to have a
max_length > 255. This check was changed to mysql.W003 in Django
3.1 as the real maximum size depends on many factors.<alias>. See also Setting sql_mode.CharFields to have a
max_length > 255."__".pk is a reserved word that cannot be used as a field
name.choices must be an iterable (e.g., a list or tuple).choices must be an iterable containing (actual value,
human readable name) tuples.db_index must be None, True or False.null=True.validators must be callable.max_length is too small to fit the longest value in
choices (<count> characters).<field> default should be a callable instead of an
instance so that it’s not shared between all field instances.AutoFields must set primary_key=True.BooleanFields do not accept null values. This check
appeared before support for null values was added in Django 2.1.CharFields must define a max_length attribute.max_length must be a positive integer.max_length is ignored when used with
<integer field type>.DecimalFields must define a decimal_places attribute.decimal_places must be a non-negative integer.DecimalFields must define a max_digits attribute.max_digits must be a positive integer.max_digits must be greater or equal to decimal_places.FilePathFields must have either allow_files or
allow_folders set to True.GenericIPAddressFields cannot have blank=True if
null=False, as blank values are stored as nulls.auto_now, auto_now_add, and default
are mutually exclusive. Only one of these options may be present.<database> does not support a database index on
<field data type> columns.BinaryField’s default cannot be a string. Use bytes
content instead.<database> does not support JSONFields.<database> does not support a database collation on
<field_type>s.IPAddressField has been removed except for support in
historical migrations.IPAddressField has been deprecated. Support for it
(except in historical migrations) will be removed in Django 1.9. This check
appeared in Django 1.7 and 1.8.CommaSeparatedIntegerField has been deprecated. Support
for it (except in historical migrations) will be removed in Django 2.0. This
check appeared in Django 1.10 and 1.11.CommaSeparatedIntegerField is removed except for support
in historical migrations.FloatRangeField is deprecated and will be removed in
Django 3.1. This check appeared in Django 2.2 and 3.0.NullBooleanField is deprecated. Support for it (except
in historical migrations) will be removed in Django 4.0.django.contrib.postgres.fields.JSONField is deprecated.
Support for it (except in historical migrations) will be removed in Django
4.0.unique is not a valid argument for a FileField.
This check is removed in Django 1.11.primary_key is not a valid argument for a FileField.FileField’s upload_to argument must be a relative
path, not an absolute path.ImageField because Pillow is not installed.<swappable> is not of the form app_label.app_name.<SETTING> references <model>, which has not been
installed, or is abstract.<app_label>.<model>.id can only be used as a field name if the field also
sets primary_key=True.<field name> from parent model <model>
clashes with the field <field name> from parent model <model>.<field name> clashes with the field
<field name> from model <model>.<field name> has column name <column name>
that is used by another field.index_together must be a list or tuple.index_together elements must be lists or tuples.unique_together must be a list or tuple.unique_together elements must be lists or tuples.constraints/indexes/index_together/unique_together
refers to the nonexistent field <field name>.constraints/indexes/index_together/unique_together
refers to a ManyToManyField <field name>, but ManyToManyFields
are not supported for that option.ordering must be a tuple or list (even if you want to
order by only one field).ordering refers to the nonexistent field, related field,
or lookup <field name>.constraints/indexes/index_together/unique_together
refers to field <field_name> which is not local to model <model>.<model> contains model fields.<field>.
Maximum length is <maximum length> for database <alias>.<M2M field>. Maximum length is <maximum length> for database
<alias>.<model>.check() class method is currently overridden.ordering and order_with_respect_to cannot be used
together.<function> contains a lazy reference to
<app label>.<model>, but app <app label> isn’t installed or
doesn’t provide model <model>.<model> cannot start or end with an
underscore as it collides with the query lookup syntax.<model> cannot contain double underscores
as it collides with the query lookup syntax.<property name> clashes with a related
field accessor.primary_key=True.<database> does not support check constraints.db_table <db_table> is used by multiple models:
<model list>.<index> is not unique for model <model>.<index> is not unique among models:
<model list>.<constraint> is not unique for model
<model>.<constraint> is not unique among
models: <model list>.<index> cannot start with an underscore
or a number.<index> cannot be longer than
<max_length> characters.db_table <db_table> is used by multiple models:
<model list>.<database> does not support unique constraints with
conditions.<database> does not support indexes with conditions.<database> does not support deferrable unique
constraints.<database> does not support unique constraints with
non-key columns.<database> does not support indexes with non-key
columns.constraints refers to the joined field <field name>.django.db.models.AutoField.<database> does not support indexes on expressions.The security checks do not make your site secure. They do not audit code, do intrusion detection, or do anything particularly complex. Rather, they help perform an automated, low-hanging-fruit checklist, that can help you to improve your site’s security.
Some of these checks may not be appropriate for your particular deployment
configuration. For instance, if you do your HTTP to HTTPS redirection in a load
balancer, it’d be irritating to be constantly warned about not having enabled
SECURE_SSL_REDIRECT. Use SILENCED_SYSTEM_CHECKS to
silence unneeded checks.
The following checks are run if you use the check --deploy option:
django.middleware.security.SecurityMiddleware in your
MIDDLEWARE so the SECURE_HSTS_SECONDS,
SECURE_CONTENT_TYPE_NOSNIFF, SECURE_BROWSER_XSS_FILTER,
SECURE_REFERRER_POLICY, and SECURE_SSL_REDIRECT
settings will have no effect.django.middleware.clickjacking.XFrameOptionsMiddleware in your
MIDDLEWARE, so your pages will not be served with an
'x-frame-options' header. Unless there is a good reason for your
site to be served in a frame, you should consider enabling this
header to help prevent clickjacking attacks.django.middleware.csrf.CsrfViewMiddleware is not in your
MIDDLEWARE). Enabling the middleware is the safest
approach to ensure you don’t leave any holes.SECURE_HSTS_SECONDS setting. If your entire site is served only
over SSL, you may want to consider setting a value and enabling HTTP
Strict Transport Security. Be sure to read
the documentation first; enabling HSTS carelessly can cause serious,
irreversible problems.SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. Without this,
your site is potentially vulnerable to attack via an insecure connection to a
subdomain. Only set this to True if you are certain that all subdomains of
your domain should be served exclusively via SSL.SECURE_CONTENT_TYPE_NOSNIFF setting is not
set to True, so your pages will not be served with an
'X-Content-Type-Options: nosniff' header. You should consider enabling
this header to prevent the browser from identifying content types incorrectly.SECURE_BROWSER_XSS_FILTER setting is not
set to True, so your pages will not be served with an
'X-XSS-Protection: 1; mode=block' header. You should consider enabling
this header to activate the browser’s XSS filtering and help prevent XSS
attacks. This check is removed in Django 3.0 as the X-XSS-Protection
header is no longer honored by modern browsers.SECURE_SSL_REDIRECT setting is not set to
True. Unless your site should be available over both SSL and non-SSL
connections, you may want to either set this setting to True or configure
a load balancer or reverse-proxy server to redirect all connections to HTTPS.SECRET_KEY has less than 50 characters,
less than 5 unique characters, or it’s prefixed with 'django-insecure-'
indicating that it was generated automatically by Django. Please generate a
long and random SECRET_KEY, otherwise many of Django’s security-critical
features will be vulnerable to attack.django.contrib.sessions in your
INSTALLED_APPS but you have not set
SESSION_COOKIE_SECURE to True. Using a secure-only session
cookie makes it more difficult for network traffic sniffers to hijack user
sessions.django.contrib.sessions.middleware.SessionMiddleware in your
MIDDLEWARE, but you have not set SESSION_COOKIE_SECURE
to True. Using a secure-only session cookie makes it more difficult for
network traffic sniffers to hijack user sessions.SESSION_COOKIE_SECURE is not set to True.
Using a secure-only session cookie makes it more difficult for network traffic
sniffers to hijack user sessions.django.contrib.sessions in your
INSTALLED_APPS, but you have not set
SESSION_COOKIE_HTTPONLY to True. Using an HttpOnly session
cookie makes it more difficult for cross-site scripting attacks to hijack user
sessions.django.contrib.sessions.middleware.SessionMiddleware in your
MIDDLEWARE, but you have not set SESSION_COOKIE_HTTPONLY
to True. Using an HttpOnly session cookie makes it more difficult for
cross-site scripting attacks to hijack user sessions.SESSION_COOKIE_HTTPONLY is not set to True.
Using an HttpOnly session cookie makes it more difficult for cross-site
scripting attacks to hijack user sessions.CSRF_COOKIE_SECURE is not set to True.
Using a secure-only CSRF cookie makes it more difficult for network traffic
sniffers to steal the CSRF token.CSRF_COOKIE_HTTPONLY is not set to True.
Using an HttpOnly CSRF cookie makes it more difficult for cross-site
scripting attacks to steal the CSRF token. This check is removed in Django
1.11 as the CSRF_COOKIE_HTTPONLY setting offers no practical
benefit.DEBUG set to True in
deployment.django.middleware.clickjacking.XFrameOptionsMiddleware in your
MIDDLEWARE, but X_FRAME_OPTIONS is not set to
'DENY'. Unless there is a good reason for your site to serve other parts
of itself in a frame, you should change it to 'DENY'.ALLOWED_HOSTS must not be empty in deployment.SECURE_HSTS_PRELOAD setting to True. Without this, your site
cannot be submitted to the browser preload list.SECURE_REFERRER_POLICY
setting. Without this, your site will not send a Referrer-Policy header. You
should consider enabling this header to protect user privacy.SECURE_REFERRER_POLICY setting
to an invalid value.The following checks verify that your security-related settings are correctly configured:
DEFAULT_HASHING_ALGORITHM must be 'sha1' or
'sha256'.'path.to.view' does not take the
correct number of arguments.'path.to.view' could not be
imported.<handler> was connected to the <signal> signal with
a lazy reference to the sender <app label>.<model>, but app <app label>
isn’t installed or doesn’t provide model <model>.The following checks are performed on your translation configuration:
LANGUAGE_CODE setting: <value>.LANGUAGES setting: <value>.LANGUAGES_BIDI setting: <value>.LANGUAGE_CODE setting that is not in the LANGUAGES
setting.The following checks are performed on your URL configuration:
<pattern> uses
include() with a route ending with a $. Remove the
dollar from the route to avoid problems including URLs.<pattern> has a route beginning with
a /. Remove this slash as it is unnecessary. If this pattern is targeted
in an include(), ensure the include()
pattern has a trailing /.<pattern> has a name
including a :. Remove the colon, to avoid ambiguous namespace
references.<pattern> is invalid. Ensure that
urlpatterns is a list of path() and/or
re_path() instances.<namespace> isn’t unique. You may not be
able to reverse all URLs in this namespace.MEDIA_URL/ STATIC_URL setting must
end with a slash.handlerXXX view 'path.to.view' does not
take the correct number of arguments (…).handlerXXX view 'path.to.view' could not be
imported.contrib app checks¶admin¶Admin checks are all performed as part of the admin tag.
The following checks are performed on any
ModelAdmin (or subclass) that is registered
with the admin site:
raw_id_fields must be a list or tuple.raw_id_fields[n] refers to <field name>,
which is not an attribute of <model>.raw_id_fields[n] must be a foreign key or
a many-to-many field.fields must be a list or tuple.fieldsets and fields are specified.fields contains duplicate field(s).fieldsets must be a list or tuple.fieldsets[n] must be a list or tuple.fieldsets[n] must be of length 2.fieldsets[n][1] must be a dictionary.fieldsets[n][1] must contain the key
fields.fieldsets[n][1].fields[n]/fieldsets[n][m] cannot include the
ManyToManyField <field name>, because that field manually specifies a
relationship model.exclude must be a list or tuple.exclude contains duplicate field(s).form must inherit from BaseModelForm.filter_vertical must be a list or tuple.filter_horizontal must be a list or tuple.filter_vertical[n]/filter_horizontal[n]
refers to <field name>, which is not an attribute of <model>.filter_vertical[n]/filter_horizontal[n]
must be a many-to-many field.radio_fields must be a dictionary.radio_fields refers to <field name>,
which is not an attribute of <model>.radio_fields refers to <field name>,
which is not an instance of ForeignKey, and does not have a choices
definition.radio_fields[<field name>] must be either
admin.HORIZONTAL or admin.VERTICAL.view_on_site must be either a callable or a
boolean value.prepopulated_fields must be a dictionary.prepopulated_fields refers to
<field name>, which is not an attribute of <model>.prepopulated_fields refers to
<field name>, which must not be a DateTimeField, a ForeignKey,
a OneToOneField, or a ManyToManyField field.prepopulated_fields[<field name>] must be a
list or tuple.prepopulated_fields refers to
<field name>, which is not an attribute of <model>.ordering must be a list or tuple.ordering has the random ordering marker
?, but contains other fields as well.ordering refers to <field name>, which
is not an attribute of <model>.readonly_fields must be a list or tuple.readonly_fields[n] is not a callable, an
attribute of <ModelAdmin class>, or an attribute of <model>.autocomplete_fields must be a list or tuple.autocomplete_fields[n] refers to
<field name>, which is not an attribute of <model>.autocomplete_fields[n] must be a foreign
key or a many-to-many field.<model> has to be registered to be
referenced by <modeladmin>.autocomplete_fields.<modeladmin> must define search_fields, because
it’s referenced by <other_modeladmin>.autocomplete_fields.ModelAdmin¶The following checks are performed on any
ModelAdmin that is registered
with the admin site:
save_as must be a boolean.save_on_top must be a boolean.inlines must be a list or tuple.<InlineModelAdmin class> must inherit from
InlineModelAdmin.<InlineModelAdmin class> must have a model attribute.<InlineModelAdmin class>.model must be a
Model.list_display must be a list or tuple.list_display[n] refers to <label>,
which is not a callable, an attribute of <ModelAdmin class>, or an
attribute or method on <model>.list_display[n] must not be a
ManyToManyField field.list_display_links must be a list, a tuple,
or None.list_display_links[n] refers to <label>,
which is not defined in list_display.list_filter must be a list or tuple.list_filter[n] must inherit from
ListFilter.list_filter[n] must not inherit from
FieldListFilter.list_filter[n][1] must inherit from
FieldListFilter.list_filter[n] refers to <label>,
which does not refer to a Field.list_select_related must be a boolean,
tuple or list.list_per_page must be an integer.list_max_show_all must be an integer.list_editable must be a list or tuple.list_editable[n] refers to <label>,
which is not an attribute of <model>.list_editable[n] refers to <label>,
which is not contained in list_display.list_editable[n] cannot be in both
list_editable and list_display_links.list_editable[n] refers to the first field
in list_display (<label>), which cannot be used unless
list_display_links is set.list_editable[n] refers to <field name>,
which is not editable through the admin.search_fields must be a list or tuple.date_hierarchy refers to <field name>,
which does not refer to a Field.date_hierarchy must be a DateField or
DateTimeField.<modeladmin> must define a has_<foo>_permission()
method for the <action> action.__name__ attributes of actions defined in
<modeladmin> must be unique. Name <name> is not unique.InlineModelAdmin¶The following checks are performed on any
InlineModelAdmin that is registered as an
inline on a ModelAdmin.
<field name>, because it is the
foreign key to the parent model <app_label>.<model>.<model> has no ForeignKey to <parent model>./
<model> has more than one ForeignKey to <parent model>. You must
specify a fk_name attribute.extra must be an integer.max_num must be an integer.min_num must be an integer.formset must inherit from
BaseModelFormSet.GenericInlineModelAdmin¶The following checks are performed on any
GenericInlineModelAdmin that is
registered as an inline on a ModelAdmin.
'ct_field' references <label>, which is not a field
on <model>.'ct_fk_field' references <label>, which is not a
field on <model>.<model> has no GenericForeignKey.<model> has no GenericForeignKey using content type
field <field name> and object ID field <field name>.AdminSite¶The following checks are performed on the default
AdminSite:
django.contrib.contenttypes must be in
INSTALLED_APPS in order to use the admin application.django.contrib.auth.context_processors.auth
must be enabled in DjangoTemplates
(TEMPLATES) if using the default auth backend in order to use the
admin application.django.template.backends.django.DjangoTemplates
instance must be configured in TEMPLATES in order to use the
admin application.django.contrib.messages.context_processors.messages
must be enabled in DjangoTemplates
(TEMPLATES) in order to use the admin application.django.contrib.auth must be in
INSTALLED_APPS in order to use the admin application.django.contrib.messages must be in
INSTALLED_APPS in order to use the admin application.django.contrib.auth.middleware.AuthenticationMiddleware must be in
MIDDLEWARE in order to use the admin application.django.contrib.messages.middleware.MessageMiddleware
must be in MIDDLEWARE in order to use the admin application.django.contrib.sessions.middleware.SessionMiddleware
must be in MIDDLEWARE in order to use the admin application.django.template.context_processors.request must be
enabled in DjangoTemplates
(TEMPLATES) in order to use the admin navigation sidebar.auth¶REQUIRED_FIELDS must be a list or tuple.USERNAME_FIELD for a custom user
model must not be included in REQUIRED_FIELDS.<field> must be unique because it is named as the
USERNAME_FIELD.<field> is named as the USERNAME_FIELD, but it is not
unique.<codename> clashes with a builtin
permission for model <model>.<codename> is duplicated for model
<model>.verbose_name of model <model> must be at most
244 characters for its builtin permission names
to be at most 255 characters.<name> of model <model> is longer
than 255 characters.<User model>.is_anonymous must be an attribute or property
rather than a method. Ignoring this is a security issue as anonymous users
will be treated as authenticated!<User model>.is_authenticated must be an attribute or
property rather than a method. Ignoring this is a security issue as anonymous
users will be treated as authenticated!<model> must be at most 93 characters
for its builtin permission names to be at most 100 characters.<codename> of model <model>
is longer than 100 characters.contenttypes¶The following checks are performed when a model contains a
GenericForeignKey or
GenericRelation:
GenericForeignKey object ID references the
nonexistent field <field>.GenericForeignKey content type references the
nonexistent field <field>.<field> is not a ForeignKey.<field> is not a ForeignKey to
contenttypes.ContentType.postgres¶The following checks are performed on django.contrib.postgres model
fields:
<field> default should be a callable instead of an
instance so that it’s not shared between all field instances. This check was
changed to fields.E010 in Django 3.1.sites¶The following checks are performed on any model using a
CurrentSiteManager:
CurrentSiteManager could not find a field named
<field name>.CurrentSiteManager cannot use <field> as it is not a
foreign key or a many-to-many field.The following checks verify that django.contrib.sites is correctly
configured:
SITE_ID setting must be an integer.staticfiles¶The following checks verify that django.contrib.staticfiles is correctly
configured:
STATICFILES_DIRS setting is not a tuple
or list.STATICFILES_DIRS setting should not
contain the STATIC_ROOT setting.<prefix> in the
STATICFILES_DIRS setting must not end with a slash.Jul 27, 2022