checks.txt 40 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827
  1. ======================
  2. System check framework
  3. ======================
  4. .. currentmodule:: django.core.checks
  5. The system check framework is a set of static checks for validating Django
  6. projects. It detects common problems and provides hints for how to fix them.
  7. The framework is extensible so you can easily add your own checks.
  8. For details on how to add your own checks and integrate them with Django's
  9. system checks, see the :doc:`System check topic guide </topics/checks>`.
  10. API reference
  11. =============
  12. ``CheckMessage``
  13. ----------------
  14. .. class:: CheckMessage(level, msg, hint=None, obj=None, id=None)
  15. The warnings and errors raised by system checks must be instances of
  16. ``CheckMessage``. An instance encapsulates a single reportable error or
  17. warning. It also provides context and hints applicable to the message, and a
  18. unique identifier that is used for filtering purposes.
  19. Constructor arguments are:
  20. ``level``
  21. The severity of the message. Use one of the predefined values: ``DEBUG``,
  22. ``INFO``, ``WARNING``, ``ERROR``, ``CRITICAL``. If the level is greater or
  23. equal to ``ERROR``, then Django will prevent management commands from
  24. executing. Messages with level lower than ``ERROR`` (i.e. warnings) are
  25. reported to the console, but can be silenced.
  26. ``msg``
  27. A short (less than 80 characters) string describing the problem. The string
  28. should *not* contain newlines.
  29. ``hint``
  30. A single-line string providing a hint for fixing the problem. If no hint
  31. can be provided, or the hint is self-evident from the error message, the
  32. hint can be omitted, or a value of ``None`` can be used.
  33. ``obj``
  34. Optional. An object providing context for the message (for example, the
  35. model where the problem was discovered). The object should be a model,
  36. field, or manager or any other object that defines a ``__str__()`` method.
  37. The method is used while reporting all messages and its result precedes the
  38. message.
  39. ``id``
  40. Optional string. A unique identifier for the issue. Identifiers should
  41. follow the pattern ``applabel.X001``, where ``X`` is one of the letters
  42. ``CEWID``, indicating the message severity (``C`` for criticals, ``E`` for
  43. errors and so). The number can be allocated by the application, but should
  44. be unique within that application.
  45. There are subclasses to make creating messages with common levels easier. When
  46. using them you can omit the ``level`` argument because it is implied by the
  47. class name.
  48. .. class:: Debug(msg, hint=None, obj=None, id=None)
  49. .. class:: Info(msg, hint=None, obj=None, id=None)
  50. .. class:: Warning(msg, hint=None obj=None, id=None)
  51. .. class:: Error(msg, hint=None, obj=None, id=None)
  52. .. class:: Critical(msg, hint=None, obj=None, id=None)
  53. .. _system-check-builtin-tags:
  54. Builtin tags
  55. ============
  56. Django's system checks are organized using the following tags:
  57. * ``admin``: Checks of any admin site declarations.
  58. * ``async_support``: Checks asynchronous-related configuration.
  59. * ``caches``: Checks cache related configuration.
  60. * ``compatibility``: Flags potential problems with version upgrades.
  61. * ``database``: Checks database-related configuration issues. Database checks
  62. are not run by default because they do more than static code analysis as
  63. regular checks do. They are only run by the :djadmin:`migrate` command or if
  64. you specify configured database aliases using the ``--database`` option when
  65. calling the :djadmin:`check` command.
  66. * ``models``: Checks of model, field, and manager definitions.
  67. * ``security``: Checks security related configuration.
  68. * ``signals``: Checks on signal declarations and handler registrations.
  69. * ``staticfiles``: Checks :mod:`django.contrib.staticfiles` configuration.
  70. * ``templates``: Checks template related configuration.
  71. * ``translation``: Checks translation related configuration.
  72. * ``urls``: Checks URL configuration.
  73. Some checks may be registered with multiple tags.
  74. .. versionchanged:: 3.1
  75. The ``async_support`` tag was added.
  76. .. versionchanged:: 3.1
  77. The ``database`` checks are now run only for database aliases specified
  78. using the :option:`check --database` option.
  79. Core system checks
  80. ==================
  81. Asynchronous support
  82. --------------------
  83. .. versionadded:: 3.1
  84. The following checks verify your setup for :doc:`/topics/async`:
  85. * **async.E001**: You should not set the :envvar:`DJANGO_ALLOW_ASYNC_UNSAFE`
  86. environment variable in deployment. This disables :ref:`async safety
  87. protection <async-safety>`.
  88. Backwards compatibility
  89. -----------------------
  90. Compatibility checks warn of potential problems that might occur after
  91. upgrading Django.
  92. * **2_0.W001**: Your URL pattern ``<pattern>`` has a ``route`` that contains
  93. ``(?P<``, begins with a ``^``, or ends with a ``$``. This was likely an
  94. oversight when migrating from ``url()`` to :func:`~django.urls.path`.
  95. Caches
  96. ------
  97. The following checks verify that your :setting:`CACHES` setting is correctly
  98. configured:
  99. * **caches.E001**: You must define a ``'default'`` cache in your
  100. :setting:`CACHES` setting.
  101. Database
  102. --------
  103. MySQL and MariaDB
  104. ~~~~~~~~~~~~~~~~~
  105. If you're using MySQL or MariaDB, the following checks will be performed:
  106. * **mysql.E001**: MySQL/MariaDB does not allow unique ``CharField``\s to have a
  107. ``max_length`` > 255. *This check was changed to* ``mysql.W003`` *in Django
  108. 3.1 as the real maximum size depends on many factors.*
  109. * **mysql.W002**: MySQL/MariaDB Strict Mode is not set for database connection
  110. ``<alias>``. See also :ref:`mysql-sql-mode`.
  111. * **mysql.W003**: MySQL/MariaDB may not allow unique ``CharField``\s to have a
  112. ``max_length`` > 255.
  113. Model fields
  114. ------------
  115. * **fields.E001**: Field names must not end with an underscore.
  116. * **fields.E002**: Field names must not contain ``"__"``.
  117. * **fields.E003**: ``pk`` is a reserved word that cannot be used as a field
  118. name.
  119. * **fields.E004**: ``choices`` must be an iterable (e.g., a list or tuple).
  120. * **fields.E005**: ``choices`` must be an iterable returning ``(actual value,
  121. human readable name)`` tuples.
  122. * **fields.E006**: ``db_index`` must be ``None``, ``True`` or ``False``.
  123. * **fields.E007**: Primary keys must not have ``null=True``.
  124. * **fields.E008**: All ``validators`` must be callable.
  125. * **fields.E009**: ``max_length`` is too small to fit the longest value in
  126. ``choices`` (``<count>`` characters).
  127. * **fields.E010**: ``<field>`` default should be a callable instead of an
  128. instance so that it's not shared between all field instances.
  129. * **fields.E100**: ``AutoField``\s must set primary_key=True.
  130. * **fields.E110**: ``BooleanField``\s do not accept null values. *This check
  131. appeared before support for null values was added in Django 2.1.*
  132. * **fields.E120**: ``CharField``\s must define a ``max_length`` attribute.
  133. * **fields.E121**: ``max_length`` must be a positive integer.
  134. * **fields.W122**: ``max_length`` is ignored when used with
  135. ``<integer field type>``.
  136. * **fields.E130**: ``DecimalField``\s must define a ``decimal_places`` attribute.
  137. * **fields.E131**: ``decimal_places`` must be a non-negative integer.
  138. * **fields.E132**: ``DecimalField``\s must define a ``max_digits`` attribute.
  139. * **fields.E133**: ``max_digits`` must be a non-negative integer.
  140. * **fields.E134**: ``max_digits`` must be greater or equal to ``decimal_places``.
  141. * **fields.E140**: ``FilePathField``\s must have either ``allow_files`` or
  142. ``allow_folders`` set to True.
  143. * **fields.E150**: ``GenericIPAddressField``\s cannot accept blank values if
  144. null values are not allowed, as blank values are stored as nulls.
  145. * **fields.E160**: The options ``auto_now``, ``auto_now_add``, and ``default``
  146. are mutually exclusive. Only one of these options may be present.
  147. * **fields.W161**: Fixed default value provided.
  148. * **fields.W162**: ``<database>`` does not support a database index on
  149. ``<field data type>`` columns.
  150. * **fields.E170**: ``BinaryField``’s ``default`` cannot be a string. Use bytes
  151. content instead.
  152. * **fields.E180**: ``<database>`` does not support ``JSONField``\s.
  153. * **fields.E900**: ``IPAddressField`` has been removed except for support in
  154. historical migrations.
  155. * **fields.W900**: ``IPAddressField`` has been deprecated. Support for it
  156. (except in historical migrations) will be removed in Django 1.9. *This check
  157. appeared in Django 1.7 and 1.8*.
  158. * **fields.W901**: ``CommaSeparatedIntegerField`` has been deprecated. Support
  159. for it (except in historical migrations) will be removed in Django 2.0. *This
  160. check appeared in Django 1.10 and 1.11*.
  161. * **fields.E901**: ``CommaSeparatedIntegerField`` is removed except for support
  162. in historical migrations.
  163. * **fields.W902**: ``FloatRangeField`` is deprecated and will be removed in
  164. Django 3.1. *This check appeared in Django 2.2 and 3.0*.
  165. * **fields.W903**: ``NullBooleanField`` is deprecated. Support for it (except
  166. in historical migrations) will be removed in Django 4.0.
  167. * **fields.W904**: ``django.contrib.postgres.fields.JSONField`` is deprecated.
  168. Support for it (except in historical migrations) will be removed in Django
  169. 4.0.
  170. File fields
  171. ~~~~~~~~~~~
  172. * **fields.E200**: ``unique`` is not a valid argument for a ``FileField``.
  173. *This check is removed in Django 1.11*.
  174. * **fields.E201**: ``primary_key`` is not a valid argument for a ``FileField``.
  175. * **fields.E202**: ``FileField``’s ``upload_to`` argument must be a relative
  176. path, not an absolute path.
  177. * **fields.E210**: Cannot use ``ImageField`` because Pillow is not installed.
  178. Related fields
  179. ~~~~~~~~~~~~~~
  180. * **fields.E300**: Field defines a relation with model ``<model>``, which is
  181. either not installed, or is abstract.
  182. * **fields.E301**: Field defines a relation with the model ``<model>`` which
  183. has been swapped out.
  184. * **fields.E302**: Accessor for field ``<field name>`` clashes with field
  185. ``<field name>``.
  186. * **fields.E303**: Reverse query name for field ``<field name>`` clashes with
  187. field ``<field name>``.
  188. * **fields.E304**: Field name ``<field name>`` clashes with accessor for
  189. ``<field name>``.
  190. * **fields.E305**: Field name ``<field name>`` clashes with reverse query name
  191. for ``<field name>``.
  192. * **fields.E306**: Related name must be a valid Python identifier or end with
  193. a ``'+'``.
  194. * **fields.E307**: The field ``<app label>.<model>.<field name>`` was declared
  195. with a lazy reference to ``<app label>.<model>``, but app ``<app label>``
  196. isn't installed or doesn't provide model ``<model>``.
  197. * **fields.E308**: Reverse query name ``<related query name>`` must not end
  198. with an underscore.
  199. * **fields.E309**: Reverse query name ``<related query name>`` must not contain
  200. ``'__'``.
  201. * **fields.E310**: No subset of the fields ``<field1>``, ``<field2>``, ... on
  202. model ``<model>`` is unique.
  203. * **fields.E311**: ``<model>.<field name>`` must be unique because it is
  204. referenced by a ``ForeignKey``.
  205. * **fields.E312**: The ``to_field`` ``<field name>`` doesn't exist on the
  206. related model ``<app label>.<model>``.
  207. * **fields.E320**: Field specifies ``on_delete=SET_NULL``, but cannot be null.
  208. * **fields.E321**: The field specifies ``on_delete=SET_DEFAULT``, but has no
  209. default value.
  210. * **fields.E330**: ``ManyToManyField``\s cannot be unique.
  211. * **fields.E331**: Field specifies a many-to-many relation through model
  212. ``<model>``, which has not been installed.
  213. * **fields.E332**: Many-to-many fields with intermediate tables must not be
  214. symmetrical. *This check appeared before Django 3.0.*
  215. * **fields.E333**: The model is used as an intermediate model by ``<model>``,
  216. but it has more than two foreign keys to ``<model>``, which is ambiguous.
  217. You must specify which two foreign keys Django should use via the
  218. ``through_fields`` keyword argument.
  219. * **fields.E334**: The model is used as an intermediate model by ``<model>``,
  220. but it has more than one foreign key from ``<model>``, which is ambiguous.
  221. You must specify which foreign key Django should use via the
  222. ``through_fields`` keyword argument.
  223. * **fields.E335**: The model is used as an intermediate model by ``<model>``,
  224. but it has more than one foreign key to ``<model>``, which is ambiguous.
  225. You must specify which foreign key Django should use via the
  226. ``through_fields`` keyword argument.
  227. * **fields.E336**: The model is used as an intermediary model by ``<model>``,
  228. but it does not have foreign key to ``<model>`` or ``<model>``.
  229. * **fields.E337**: Field specifies ``through_fields`` but does not provide the
  230. names of the two link fields that should be used for the relation through
  231. ``<model>``.
  232. * **fields.E338**: The intermediary model ``<through model>`` has no field
  233. ``<field name>``.
  234. * **fields.E339**: ``<model>.<field name>`` is not a foreign key to ``<model>``.
  235. * **fields.E340**: The field's intermediary table ``<table name>`` clashes with
  236. the table name of ``<model>``/``<model>.<field name>``.
  237. * **fields.W340**: ``null`` has no effect on ``ManyToManyField``.
  238. * **fields.W341**: ``ManyToManyField`` does not support ``validators``.
  239. * **fields.W342**: Setting ``unique=True`` on a ``ForeignKey`` has the same
  240. effect as using a ``OneToOneField``.
  241. * **fields.W343**: ``limit_choices_to`` has no effect on ``ManyToManyField``
  242. with a ``through`` model.
  243. * **fields.W344**: The field's intermediary table ``<table name>`` clashes with
  244. the table name of ``<model>``/``<model>.<field name>``.
  245. Models
  246. ------
  247. * **models.E001**: ``<swappable>`` is not of the form ``app_label.app_name``.
  248. * **models.E002**: ``<SETTING>`` references ``<model>``, which has not been
  249. installed, or is abstract.
  250. * **models.E003**: The model has two identical many-to-many relations through
  251. the intermediate model ``<app_label>.<model>``.
  252. * **models.E004**: ``id`` can only be used as a field name if the field also
  253. sets ``primary_key=True``.
  254. * **models.E005**: The field ``<field name>`` from parent model ``<model>``
  255. clashes with the field ``<field name>`` from parent model ``<model>``.
  256. * **models.E006**: The field clashes with the field ``<field name>`` from model
  257. ``<model>``.
  258. * **models.E007**: Field ``<field name>`` has column name ``<column name>``
  259. that is used by another field.
  260. * **models.E008**: ``index_together`` must be a list or tuple.
  261. * **models.E009**: All ``index_together`` elements must be lists or tuples.
  262. * **models.E010**: ``unique_together`` must be a list or tuple.
  263. * **models.E011**: All ``unique_together`` elements must be lists or tuples.
  264. * **models.E012**: ``constraints/indexes/index_together/unique_together``
  265. refers to the nonexistent field ``<field name>``.
  266. * **models.E013**: ``constraints/indexes/index_together/unique_together``
  267. refers to a ``ManyToManyField`` ``<field name>``, but ``ManyToManyField``\s
  268. are not supported for that option.
  269. * **models.E014**: ``ordering`` must be a tuple or list (even if you want to
  270. order by only one field).
  271. * **models.E015**: ``ordering`` refers to the nonexistent field, related field,
  272. or lookup ``<field name>``.
  273. * **models.E016**: ``constraints/indexes/index_together/unique_together``
  274. refers to field ``<field_name>`` which is not local to model ``<model>``.
  275. * **models.E017**: Proxy model ``<model>`` contains model fields.
  276. * **models.E018**: Autogenerated column name too long for field ``<field>``.
  277. Maximum length is ``<maximum length>`` for database ``<alias>``.
  278. * **models.E019**: Autogenerated column name too long for M2M field
  279. ``<M2M field>``. Maximum length is ``<maximum length>`` for database
  280. ``<alias>``.
  281. * **models.E020**: The ``<model>.check()`` class method is currently overridden.
  282. * **models.E021**: ``ordering`` and ``order_with_respect_to`` cannot be used
  283. together.
  284. * **models.E022**: ``<function>`` contains a lazy reference to
  285. ``<app label>.<model>``, but app ``<app label>`` isn't installed or
  286. doesn't provide model ``<model>``.
  287. * **models.E023**: The model name ``<model>`` cannot start or end with an
  288. underscore as it collides with the query lookup syntax.
  289. * **models.E024**: The model name ``<model>`` cannot contain double underscores
  290. as it collides with the query lookup syntax.
  291. * **models.E025**: The property ``<property name>`` clashes with a related
  292. field accessor.
  293. * **models.E026**: The model cannot have more than one field with
  294. ``primary_key=True``.
  295. * **models.W027**: ``<database>`` does not support check constraints.
  296. * **models.E028**: ``db_table`` ``<db_table>`` is used by multiple models:
  297. ``<model list>``.
  298. * **models.E029**: index name ``<index>`` is not unique for model ``<model>``.
  299. * **models.E030**: index name ``<index>`` is not unique among models:
  300. ``<model list>``.
  301. * **models.E031**: constraint name ``<constraint>`` is not unique for model
  302. ``<model>``.
  303. * **models.E032**: constraint name ``<constraint>`` is not unique among
  304. models: ``<model list>``.
  305. * **models.E033**: The index name ``<index>`` cannot start with an underscore
  306. or a number.
  307. * **models.E034**: The index name ``<index>`` cannot be longer than
  308. ``<max_length>`` characters.
  309. * **models.W035**: ``db_table`` ``<db_table>`` is used by multiple models:
  310. ``<model list>``.
  311. * **models.W036**: ``<database>`` does not support unique constraints with
  312. conditions.
  313. * **models.W037**: ``<database>`` does not support indexes with conditions.
  314. * **models.W038**: ``<database>`` does not support deferrable unique
  315. constraints.
  316. * **models.W039**: ``<database>`` does not support unique constraints with
  317. non-key columns.
  318. * **models.W040**: ``<database>`` does not support indexes with non-key
  319. columns.
  320. * **models.E041**: ``constraints`` refers to the joined field ``<field name>``.
  321. Security
  322. --------
  323. The security checks do not make your site secure. They do not audit code, do
  324. intrusion detection, or do anything particularly complex. Rather, they help
  325. perform an automated, low-hanging-fruit checklist, that can help you to improve
  326. your site's security.
  327. Some of these checks may not be appropriate for your particular deployment
  328. configuration. For instance, if you do your HTTP to HTTPS redirection in a load
  329. balancer, it'd be irritating to be constantly warned about not having enabled
  330. :setting:`SECURE_SSL_REDIRECT`. Use :setting:`SILENCED_SYSTEM_CHECKS` to
  331. silence unneeded checks.
  332. The following checks are run if you use the :option:`check --deploy` option:
  333. * **security.W001**: You do not have
  334. :class:`django.middleware.security.SecurityMiddleware` in your
  335. :setting:`MIDDLEWARE` so the :setting:`SECURE_HSTS_SECONDS`,
  336. :setting:`SECURE_CONTENT_TYPE_NOSNIFF`, :setting:`SECURE_BROWSER_XSS_FILTER`,
  337. :setting:`SECURE_REFERRER_POLICY`, and :setting:`SECURE_SSL_REDIRECT`
  338. settings will have no effect.
  339. * **security.W002**: You do not have
  340. :class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
  341. :setting:`MIDDLEWARE`, so your pages will not be served with an
  342. ``'x-frame-options'`` header. Unless there is a good reason for your
  343. site to be served in a frame, you should consider enabling this
  344. header to help prevent clickjacking attacks.
  345. * **security.W003**: You don't appear to be using Django's built-in cross-site
  346. request forgery protection via the middleware
  347. (:class:`django.middleware.csrf.CsrfViewMiddleware` is not in your
  348. :setting:`MIDDLEWARE`). Enabling the middleware is the safest
  349. approach to ensure you don't leave any holes.
  350. * **security.W004**: You have not set a value for the
  351. :setting:`SECURE_HSTS_SECONDS` setting. If your entire site is served only
  352. over SSL, you may want to consider setting a value and enabling :ref:`HTTP
  353. Strict Transport Security <http-strict-transport-security>`. Be sure to read
  354. the documentation first; enabling HSTS carelessly can cause serious,
  355. irreversible problems.
  356. * **security.W005**: You have not set the
  357. :setting:`SECURE_HSTS_INCLUDE_SUBDOMAINS` setting to ``True``. Without this,
  358. your site is potentially vulnerable to attack via an insecure connection to a
  359. subdomain. Only set this to ``True`` if you are certain that all subdomains of
  360. your domain should be served exclusively via SSL.
  361. * **security.W006**: Your :setting:`SECURE_CONTENT_TYPE_NOSNIFF` setting is not
  362. set to ``True``, so your pages will not be served with an
  363. ``'X-Content-Type-Options: nosniff'`` header. You should consider enabling
  364. this header to prevent the browser from identifying content types incorrectly.
  365. * **security.W007**: Your :setting:`SECURE_BROWSER_XSS_FILTER` setting is not
  366. set to ``True``, so your pages will not be served with an
  367. ``'X-XSS-Protection: 1; mode=block'`` header. You should consider enabling
  368. this header to activate the browser's XSS filtering and help prevent XSS
  369. attacks. *This check is removed in Django 3.0 as the* ``X-XSS-Protection``
  370. *header is no longer honored by modern browsers.*
  371. * **security.W008**: Your :setting:`SECURE_SSL_REDIRECT` setting is not set to
  372. ``True``. Unless your site should be available over both SSL and non-SSL
  373. connections, you may want to either set this setting to ``True`` or configure
  374. a load balancer or reverse-proxy server to redirect all connections to HTTPS.
  375. * **security.W009**: Your :setting:`SECRET_KEY` has less than 50 characters or
  376. less than 5 unique characters. Please generate a long and random
  377. ``SECRET_KEY``, otherwise many of Django's security-critical features will be
  378. vulnerable to attack.
  379. * **security.W010**: You have :mod:`django.contrib.sessions` in your
  380. :setting:`INSTALLED_APPS` but you have not set
  381. :setting:`SESSION_COOKIE_SECURE` to ``True``. Using a secure-only session
  382. cookie makes it more difficult for network traffic sniffers to hijack user
  383. sessions.
  384. * **security.W011**: You have
  385. :class:`django.contrib.sessions.middleware.SessionMiddleware` in your
  386. :setting:`MIDDLEWARE`, but you have not set :setting:`SESSION_COOKIE_SECURE`
  387. to ``True``. Using a secure-only session cookie makes it more difficult for
  388. network traffic sniffers to hijack user sessions.
  389. * **security.W012**: :setting:`SESSION_COOKIE_SECURE` is not set to ``True``.
  390. Using a secure-only session cookie makes it more difficult for network traffic
  391. sniffers to hijack user sessions.
  392. * **security.W013**: You have :mod:`django.contrib.sessions` in your
  393. :setting:`INSTALLED_APPS`, but you have not set
  394. :setting:`SESSION_COOKIE_HTTPONLY` to ``True``. Using an ``HttpOnly`` session
  395. cookie makes it more difficult for cross-site scripting attacks to hijack user
  396. sessions.
  397. * **security.W014**: You have
  398. :class:`django.contrib.sessions.middleware.SessionMiddleware` in your
  399. :setting:`MIDDLEWARE`, but you have not set :setting:`SESSION_COOKIE_HTTPONLY`
  400. to ``True``. Using an ``HttpOnly`` session cookie makes it more difficult for
  401. cross-site scripting attacks to hijack user sessions.
  402. * **security.W015**: :setting:`SESSION_COOKIE_HTTPONLY` is not set to ``True``.
  403. Using an ``HttpOnly`` session cookie makes it more difficult for cross-site
  404. scripting attacks to hijack user sessions.
  405. * **security.W016**: :setting:`CSRF_COOKIE_SECURE` is not set to ``True``.
  406. Using a secure-only CSRF cookie makes it more difficult for network traffic
  407. sniffers to steal the CSRF token.
  408. * **security.W017**: :setting:`CSRF_COOKIE_HTTPONLY` is not set to ``True``.
  409. Using an ``HttpOnly`` CSRF cookie makes it more difficult for cross-site
  410. scripting attacks to steal the CSRF token. *This check is removed in Django
  411. 1.11 as the* :setting:`CSRF_COOKIE_HTTPONLY` *setting offers no practical
  412. benefit.*
  413. * **security.W018**: You should not have :setting:`DEBUG` set to ``True`` in
  414. deployment.
  415. * **security.W019**: You have
  416. :class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
  417. :setting:`MIDDLEWARE`, but :setting:`X_FRAME_OPTIONS` is not set to
  418. ``'DENY'``. Unless there is a good reason for your site to serve other parts
  419. of itself in a frame, you should change it to ``'DENY'``.
  420. * **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
  421. * **security.W021**: You have not set the
  422. :setting:`SECURE_HSTS_PRELOAD` setting to ``True``. Without this, your site
  423. cannot be submitted to the browser preload list.
  424. * **security.W022**: You have not set the :setting:`SECURE_REFERRER_POLICY`
  425. setting. Without this, your site will not send a Referrer-Policy header. You
  426. should consider enabling this header to protect user privacy.
  427. * **security.E023**: You have set the :setting:`SECURE_REFERRER_POLICY` setting
  428. to an invalid value.
  429. Signals
  430. -------
  431. * **signals.E001**: ``<handler>`` was connected to the ``<signal>`` signal with
  432. a lazy reference to the sender ``<app label>.<model>``, but app ``<app label>``
  433. isn't installed or doesn't provide model ``<model>``.
  434. Templates
  435. ---------
  436. The following checks verify that your :setting:`TEMPLATES` setting is correctly
  437. configured:
  438. * **templates.E001**: You have ``'APP_DIRS': True`` in your
  439. :setting:`TEMPLATES` but also specify ``'loaders'`` in ``OPTIONS``. Either
  440. remove ``APP_DIRS`` or remove the ``'loaders'`` option.
  441. * **templates.E002**: ``string_if_invalid`` in :setting:`TEMPLATES`
  442. :setting:`OPTIONS <TEMPLATES-OPTIONS>` must be a string but got: ``{value}``
  443. (``{type}``).
  444. Translation
  445. -----------
  446. The following checks are performed on your translation configuration:
  447. * **translation.E001**: You have provided an invalid value for the
  448. :setting:`LANGUAGE_CODE` setting: ``<value>``.
  449. * **translation.E002**: You have provided an invalid language code in the
  450. :setting:`LANGUAGES` setting: ``<value>``.
  451. * **translation.E003**: You have provided an invalid language code in the
  452. :setting:`LANGUAGES_BIDI` setting: ``<value>``.
  453. * **translation.E004**: You have provided a value for the
  454. :setting:`LANGUAGE_CODE` setting that is not in the :setting:`LANGUAGES`
  455. setting.
  456. URLs
  457. ----
  458. The following checks are performed on your URL configuration:
  459. * **urls.W001**: Your URL pattern ``<pattern>`` uses
  460. :func:`~django.urls.include` with a ``route`` ending with a ``$``. Remove the
  461. dollar from the ``route`` to avoid problems including URLs.
  462. * **urls.W002**: Your URL pattern ``<pattern>`` has a ``route`` beginning with
  463. a ``/``. Remove this slash as it is unnecessary. If this pattern is targeted
  464. in an :func:`~django.urls.include`, ensure the :func:`~django.urls.include`
  465. pattern has a trailing ``/``.
  466. * **urls.W003**: Your URL pattern ``<pattern>`` has a ``name``
  467. including a ``:``. Remove the colon, to avoid ambiguous namespace
  468. references.
  469. * **urls.E004**: Your URL pattern ``<pattern>`` is invalid. Ensure that
  470. ``urlpatterns`` is a list of :func:`~django.urls.path` and/or
  471. :func:`~django.urls.re_path` instances.
  472. * **urls.W005**: URL namespace ``<namespace>`` isn't unique. You may not be
  473. able to reverse all URLs in this namespace.
  474. * **urls.E006**: The :setting:`MEDIA_URL`/ :setting:`STATIC_URL` setting must
  475. end with a slash.
  476. * **urls.E007**: The custom ``handlerXXX`` view ``'path.to.view'`` does not
  477. take the correct number of arguments (…).
  478. * **urls.E008**: The custom ``handlerXXX`` view ``'path.to.view'`` could not be
  479. imported.
  480. ``contrib`` app checks
  481. ======================
  482. ``admin``
  483. ---------
  484. Admin checks are all performed as part of the ``admin`` tag.
  485. The following checks are performed on any
  486. :class:`~django.contrib.admin.ModelAdmin` (or subclass) that is registered
  487. with the admin site:
  488. * **admin.E001**: The value of ``raw_id_fields`` must be a list or tuple.
  489. * **admin.E002**: The value of ``raw_id_fields[n]`` refers to ``<field name>``,
  490. which is not an attribute of ``<model>``.
  491. * **admin.E003**: The value of ``raw_id_fields[n]`` must be a foreign key or
  492. a many-to-many field.
  493. * **admin.E004**: The value of ``fields`` must be a list or tuple.
  494. * **admin.E005**: Both ``fieldsets`` and ``fields`` are specified.
  495. * **admin.E006**: The value of ``fields`` contains duplicate field(s).
  496. * **admin.E007**: The value of ``fieldsets`` must be a list or tuple.
  497. * **admin.E008**: The value of ``fieldsets[n]`` must be a list or tuple.
  498. * **admin.E009**: The value of ``fieldsets[n]`` must be of length 2.
  499. * **admin.E010**: The value of ``fieldsets[n][1]`` must be a dictionary.
  500. * **admin.E011**: The value of ``fieldsets[n][1]`` must contain the key
  501. ``fields``.
  502. * **admin.E012**: There are duplicate field(s) in ``fieldsets[n][1]``.
  503. * **admin.E013**: ``fields[n]/fieldsets[n][m]`` cannot include the
  504. ``ManyToManyField`` ``<field name>``, because that field manually specifies a
  505. relationship model.
  506. * **admin.E014**: The value of ``exclude`` must be a list or tuple.
  507. * **admin.E015**: The value of ``exclude`` contains duplicate field(s).
  508. * **admin.E016**: The value of ``form`` must inherit from ``BaseModelForm``.
  509. * **admin.E017**: The value of ``filter_vertical`` must be a list or tuple.
  510. * **admin.E018**: The value of ``filter_horizontal`` must be a list or tuple.
  511. * **admin.E019**: The value of ``filter_vertical[n]/filter_vertical[n]`` refers
  512. to ``<field name>``, which is not an attribute of ``<model>``.
  513. * **admin.E020**: The value of ``filter_vertical[n]/filter_vertical[n]`` must
  514. be a many-to-many field.
  515. * **admin.E021**: The value of ``radio_fields`` must be a dictionary.
  516. * **admin.E022**: The value of ``radio_fields`` refers to ``<field name>``,
  517. which is not an attribute of ``<model>``.
  518. * **admin.E023**: The value of ``radio_fields`` refers to ``<field name>``,
  519. which is not a ``ForeignKey``, and does not have a ``choices`` definition.
  520. * **admin.E024**: The value of ``radio_fields[<field name>]`` must be either
  521. ``admin.HORIZONTAL`` or ``admin.VERTICAL``.
  522. * **admin.E025**: The value of ``view_on_site`` must be either a callable or a
  523. boolean value.
  524. * **admin.E026**: The value of ``prepopulated_fields`` must be a dictionary.
  525. * **admin.E027**: The value of ``prepopulated_fields`` refers to
  526. ``<field name>``, which is not an attribute of ``<model>``.
  527. * **admin.E028**: The value of ``prepopulated_fields`` refers to
  528. ``<field name>``, which must not be a ``DateTimeField``, a ``ForeignKey``,
  529. a ``OneToOneField``, or a ``ManyToManyField`` field.
  530. * **admin.E029**: The value of ``prepopulated_fields[<field name>]`` must be a
  531. list or tuple.
  532. * **admin.E030**: The value of ``prepopulated_fields`` refers to
  533. ``<field name>``, which is not an attribute of ``<model>``.
  534. * **admin.E031**: The value of ``ordering`` must be a list or tuple.
  535. * **admin.E032**: The value of ``ordering`` has the random ordering marker
  536. ``?``, but contains other fields as well.
  537. * **admin.E033**: The value of ``ordering`` refers to ``<field name>``, which
  538. is not an attribute of ``<model>``.
  539. * **admin.E034**: The value of ``readonly_fields`` must be a list or tuple.
  540. * **admin.E035**: The value of ``readonly_fields[n]`` is not a callable, an
  541. attribute of ``<ModelAdmin class>``, or an attribute of ``<model>``.
  542. * **admin.E036**: The value of ``autocomplete_fields`` must be a list or tuple.
  543. * **admin.E037**: The value of ``autocomplete_fields[n]`` refers to
  544. ``<field name>``, which is not an attribute of ``<model>``.
  545. * **admin.E038**: The value of ``autocomplete_fields[n]`` must be a foreign
  546. key or a many-to-many field.
  547. * **admin.E039**: An admin for model ``<model>`` has to be registered to be
  548. referenced by ``<modeladmin>.autocomplete_fields``.
  549. * **admin.E040**: ``<modeladmin>`` must define ``search_fields``, because
  550. it's referenced by ``<other_modeladmin>.autocomplete_fields``.
  551. ``ModelAdmin``
  552. ~~~~~~~~~~~~~~
  553. The following checks are performed on any
  554. :class:`~django.contrib.admin.ModelAdmin` that is registered
  555. with the admin site:
  556. * **admin.E101**: The value of ``save_as`` must be a boolean.
  557. * **admin.E102**: The value of ``save_on_top`` must be a boolean.
  558. * **admin.E103**: The value of ``inlines`` must be a list or tuple.
  559. * **admin.E104**: ``<InlineModelAdmin class>`` must inherit from
  560. ``InlineModelAdmin``.
  561. * **admin.E105**: ``<InlineModelAdmin class>`` must have a ``model`` attribute.
  562. * **admin.E106**: The value of ``<InlineModelAdmin class>.model`` must be a
  563. ``Model``.
  564. * **admin.E107**: The value of ``list_display`` must be a list or tuple.
  565. * **admin.E108**: The value of ``list_display[n]`` refers to ``<label>``,
  566. which is not a callable, an attribute of ``<ModelAdmin class>``, or an
  567. attribute or method on ``<model>``.
  568. * **admin.E109**: The value of ``list_display[n]`` must not be a
  569. ``ManyToManyField`` field.
  570. * **admin.E110**: The value of ``list_display_links`` must be a list, a tuple,
  571. or ``None``.
  572. * **admin.E111**: The value of ``list_display_links[n]`` refers to ``<label>``,
  573. which is not defined in ``list_display``.
  574. * **admin.E112**: The value of ``list_filter`` must be a list or tuple.
  575. * **admin.E113**: The value of ``list_filter[n]`` must inherit from
  576. ``ListFilter``.
  577. * **admin.E114**: The value of ``list_filter[n]`` must not inherit from
  578. ``FieldListFilter``.
  579. * **admin.E115**: The value of ``list_filter[n][1]`` must inherit from
  580. ``FieldListFilter``.
  581. * **admin.E116**: The value of ``list_filter[n]`` refers to ``<label>``,
  582. which does not refer to a Field.
  583. * **admin.E117**: The value of ``list_select_related`` must be a boolean,
  584. tuple or list.
  585. * **admin.E118**: The value of ``list_per_page`` must be an integer.
  586. * **admin.E119**: The value of ``list_max_show_all`` must be an integer.
  587. * **admin.E120**: The value of ``list_editable`` must be a list or tuple.
  588. * **admin.E121**: The value of ``list_editable[n]`` refers to ``<label>``,
  589. which is not an attribute of ``<model>``.
  590. * **admin.E122**: The value of ``list_editable[n]`` refers to ``<label>``,
  591. which is not contained in ``list_display``.
  592. * **admin.E123**: The value of ``list_editable[n]`` cannot be in both
  593. ``list_editable`` and ``list_display_links``.
  594. * **admin.E124**: The value of ``list_editable[n]`` refers to the first field
  595. in ``list_display`` (``<label>``), which cannot be used unless
  596. ``list_display_links`` is set.
  597. * **admin.E125**: The value of ``list_editable[n]`` refers to ``<field name>``,
  598. which is not editable through the admin.
  599. * **admin.E126**: The value of ``search_fields`` must be a list or tuple.
  600. * **admin.E127**: The value of ``date_hierarchy`` refers to ``<field name>``,
  601. which does not refer to a Field.
  602. * **admin.E128**: The value of ``date_hierarchy`` must be a ``DateField`` or
  603. ``DateTimeField``.
  604. * **admin.E129**: ``<modeladmin>`` must define a ``has_<foo>_permission()``
  605. method for the ``<action>`` action.
  606. * **admin.E130**: ``__name__`` attributes of actions defined in
  607. ``<modeladmin>`` must be unique. Name ``<name>`` is not unique.
  608. ``InlineModelAdmin``
  609. ~~~~~~~~~~~~~~~~~~~~
  610. The following checks are performed on any
  611. :class:`~django.contrib.admin.InlineModelAdmin` that is registered as an
  612. inline on a :class:`~django.contrib.admin.ModelAdmin`.
  613. * **admin.E201**: Cannot exclude the field ``<field name>``, because it is the
  614. foreign key to the parent model ``<app_label>.<model>``.
  615. * **admin.E202**: ``<model>`` has no ``ForeignKey`` to ``<parent model>``./
  616. ``<model>`` has more than one ``ForeignKey`` to ``<parent model>``. You must
  617. specify a ``fk_name`` attribute.
  618. * **admin.E203**: The value of ``extra`` must be an integer.
  619. * **admin.E204**: The value of ``max_num`` must be an integer.
  620. * **admin.E205**: The value of ``min_num`` must be an integer.
  621. * **admin.E206**: The value of ``formset`` must inherit from
  622. ``BaseModelFormSet``.
  623. ``GenericInlineModelAdmin``
  624. ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  625. The following checks are performed on any
  626. :class:`~django.contrib.contenttypes.admin.GenericInlineModelAdmin` that is
  627. registered as an inline on a :class:`~django.contrib.admin.ModelAdmin`.
  628. * **admin.E301**: ``'ct_field'`` references ``<label>``, which is not a field
  629. on ``<model>``.
  630. * **admin.E302**: ``'ct_fk_field'`` references ``<label>``, which is not a
  631. field on ``<model>``.
  632. * **admin.E303**: ``<model>`` has no ``GenericForeignKey``.
  633. * **admin.E304**: ``<model>`` has no ``GenericForeignKey`` using content type
  634. field ``<field name>`` and object ID field ``<field name>``.
  635. ``AdminSite``
  636. ~~~~~~~~~~~~~
  637. The following checks are performed on the default
  638. :class:`~django.contrib.admin.AdminSite`:
  639. * **admin.E401**: :mod:`django.contrib.contenttypes` must be in
  640. :setting:`INSTALLED_APPS` in order to use the admin application.
  641. * **admin.E402**: :mod:`django.contrib.auth.context_processors.auth`
  642. must be enabled in :class:`~django.template.backends.django.DjangoTemplates`
  643. (:setting:`TEMPLATES`) if using the default auth backend in order to use the
  644. admin application.
  645. * **admin.E403**: A :class:`django.template.backends.django.DjangoTemplates`
  646. instance must be configured in :setting:`TEMPLATES` in order to use the
  647. admin application.
  648. * **admin.E404**: ``django.contrib.messages.context_processors.messages``
  649. must be enabled in :class:`~django.template.backends.django.DjangoTemplates`
  650. (:setting:`TEMPLATES`) in order to use the admin application.
  651. * **admin.E405**: :mod:`django.contrib.auth` must be in
  652. :setting:`INSTALLED_APPS` in order to use the admin application.
  653. * **admin.E406**: :mod:`django.contrib.messages` must be in
  654. :setting:`INSTALLED_APPS` in order to use the admin application.
  655. * **admin.E408**:
  656. :class:`django.contrib.auth.middleware.AuthenticationMiddleware` must be in
  657. :setting:`MIDDLEWARE` in order to use the admin application.
  658. * **admin.E409**: :class:`django.contrib.messages.middleware.MessageMiddleware`
  659. must be in :setting:`MIDDLEWARE` in order to use the admin application.
  660. * **admin.E410**: :class:`django.contrib.sessions.middleware.SessionMiddleware`
  661. must be in :setting:`MIDDLEWARE` in order to use the admin application.
  662. * **admin.W411**: ``django.template.context_processors.request`` must be
  663. enabled in :class:`~django.template.backends.django.DjangoTemplates`
  664. (:setting:`TEMPLATES`) in order to use the admin navigation sidebar.
  665. ``auth``
  666. --------
  667. * **auth.E001**: ``REQUIRED_FIELDS`` must be a list or tuple.
  668. * **auth.E002**: The field named as the ``USERNAME_FIELD`` for a custom user
  669. model must not be included in ``REQUIRED_FIELDS``.
  670. * **auth.E003**: ``<field>`` must be unique because it is named as the
  671. ``USERNAME_FIELD``.
  672. * **auth.W004**: ``<field>`` is named as the ``USERNAME_FIELD``, but it is not
  673. unique.
  674. * **auth.E005**: The permission codenamed ``<codename>`` clashes with a builtin
  675. permission for model ``<model>``.
  676. * **auth.E006**: The permission codenamed ``<codename>`` is duplicated for model
  677. ``<model>``.
  678. * **auth.E007**: The :attr:`verbose_name
  679. <django.db.models.Options.verbose_name>` of model ``<model>`` must be at most
  680. 244 characters for its builtin permission names
  681. to be at most 255 characters.
  682. * **auth.E008**: The permission named ``<name>`` of model ``<model>`` is longer
  683. than 255 characters.
  684. * **auth.C009**: ``<User model>.is_anonymous`` must be an attribute or property
  685. rather than a method. Ignoring this is a security issue as anonymous users
  686. will be treated as authenticated!
  687. * **auth.C010**: ``<User model>.is_authenticated`` must be an attribute or
  688. property rather than a method. Ignoring this is a security issue as anonymous
  689. users will be treated as authenticated!
  690. * **auth.E011**: The name of model ``<model>`` must be at most 93 characters
  691. for its builtin permission names to be at most 100 characters.
  692. * **auth.E012**: The permission codenamed ``<codename>`` of model ``<model>``
  693. is longer than 100 characters.
  694. ``contenttypes``
  695. ----------------
  696. The following checks are performed when a model contains a
  697. :class:`~django.contrib.contenttypes.fields.GenericForeignKey` or
  698. :class:`~django.contrib.contenttypes.fields.GenericRelation`:
  699. * **contenttypes.E001**: The ``GenericForeignKey`` object ID references the
  700. nonexistent field ``<field>``.
  701. * **contenttypes.E002**: The ``GenericForeignKey`` content type references the
  702. nonexistent field ``<field>``.
  703. * **contenttypes.E003**: ``<field>`` is not a ``ForeignKey``.
  704. * **contenttypes.E004**: ``<field>`` is not a ``ForeignKey`` to
  705. ``contenttypes.ContentType``.
  706. * **contenttypes.E005**: Model names must be at most 100 characters.
  707. ``postgres``
  708. ------------
  709. The following checks are performed on :mod:`django.contrib.postgres` model
  710. fields:
  711. * **postgres.E001**: Base field for array has errors: ...
  712. * **postgres.E002**: Base field for array cannot be a related field.
  713. * **postgres.E003**: ``<field>`` default should be a callable instead of an
  714. instance so that it's not shared between all field instances. *This check was
  715. changed to* ``fields.E010`` *in Django 3.1*.
  716. ``sites``
  717. ---------
  718. The following checks are performed on any model using a
  719. :class:`~django.contrib.sites.managers.CurrentSiteManager`:
  720. * **sites.E001**: ``CurrentSiteManager`` could not find a field named
  721. ``<field name>``.
  722. * **sites.E002**: ``CurrentSiteManager`` cannot use ``<field>`` as it is not a
  723. foreign key or a many-to-many field.
  724. ``staticfiles``
  725. ---------------
  726. The following checks verify that :mod:`django.contrib.staticfiles` is correctly
  727. configured:
  728. * **staticfiles.E001**: The :setting:`STATICFILES_DIRS` setting is not a tuple
  729. or list.
  730. * **staticfiles.E002**: The :setting:`STATICFILES_DIRS` setting should not
  731. contain the :setting:`STATIC_ROOT` setting.
  732. * **staticfiles.E003**: The prefix ``<prefix>`` in the
  733. :setting:`STATICFILES_DIRS` setting must not end with a slash.