Security — Admin Guide

Security Overview — What You Need to Know as Admin

Is the live site leaking debug information?

No. The local development site shows full Django error pages because DEBUG=True is set in the local .env file. That file is never deployed to Render — it is excluded by .gitignore. On the live site, Django defaults to DEBUG=False, so visitors only see friendly error pages, not stack traces or internal details.

Custom Error Pages

Custom 404 and 500 pages are active on the live site:

• templates/404.html — "Page Not Found" with Home / Go Back buttons
• templates/500.html — "Something Went Wrong" standalone page

SECRET_KEY

The production SECRET_KEY must be set in the Render Dashboard under Environment Settings. If it is missing, the site will refuse to start with a clear error. Check Render → your service → Environment to confirm it is set.

HTTPS & Security Headers (Live Site)

The following headers are active in production:

• ✅ CSRF and session cookies are HTTPS-only
• ✅ HSTS (1 year) — browsers will enforce HTTPS-only access for one year
• ✅ Content-Type-NoSniff — prevents MIME-type guessing attacks
• ✅ Referrer-Policy — limits URL leakage when clicking external links
• ✅ X-Frame-Options: SAMEORIGIN — blocks clickjacking

Verifying After a Deploy

After any production deploy, go to securityheaders.com and enter https://orbitingfox.com. You should see an A or A+ grade with HSTS, Referrer-Policy, and X-Content-Type-Options all marked green.

What Is Never in Git

• .env — local debug flag and API keys → gitignored
• .env.local — database credentials and SECRET_KEY → gitignored

If either file is accidentally committed, rotate all secrets immediately.