Django debug toolbar in production mode while keeping safe yourself

In my case, the application is an API built over Django Rest Framework and it uses a handful of custom permissions and some other whistles with a bug that only was happening in production so it was a bit difficult to trace what the heck was going on there because of the non-debug-insight.

Lots of people use django-debug-toolbar for development.
Of course, enabling debug in production is a no-no rule, but one thing are best practices and another thing is, “sometimes”, reality.

Long story short:
You can enable Django debug toolbar in production on demand just using one of its features and a simple browser extension. This is how.

This is my django.settings config for debug toolbar:

# Toolbar options
"SHOW_TOOLBAR_CALLBACK": "mymodule.utils.show_debug_toolbar",

Then in your file

from main import settingsdef show_debug_toolbar(request):
if "HTTP_MYAPPKEY" in request.META:
return request.META["HTTP_MYAPPKEY"] == settings.SECRET_KEY
return settings.DEBUG

And finally, find an extension for your browser able to inject an Http header in your browser requests. I am using “Modify Header Value for Chrome”, but up to you, there are some of them out there.

To see it in action you only need to go to the extension, setup your application url, the header name and the value of your settings.SECRET_KEY:

Take in care of the subtle detail:
In the show_debug_toolbar function the header is named HTTP_MYAPPKEY while in the browser extension it is set as MYAPPKEY.
This is because how Django handles the headers received in the request adding them a leading “HTTP_”, uppercasing them and replacing underscores and dashes

Now try your self and in under 5 minutes you will be a happy owner of a production debuggable application :-)

Important note:
This should be only used under HTTPS for obvious reasons; you don’t want anyone sniffing the wire or just transparent proxying your connection and see your APPKEY in clear text, although you can change the values for whatever you wish.

Hope this is useful for at least one person because it took more time writing this post than fixing the issue :-P

No comments:

Post a Comment

Know us

Contact us


Email *

Message *