Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/muhammadbugaje/gobarau_backend/llms.txt

Use this file to discover all available pages before exploring further.

Deploying Gobarau Academy Backend to a production environment requires several changes from the default development configuration. The current settings.py ships with a hardcoded secret key, DEBUG = True, an empty ALLOWED_HOSTS, and a local SQLite database — none of which are appropriate for a live server. Work through this checklist in order before exposing the application to the internet.
The settings.py file currently contains a hardcoded SECRET_KEY value (django-insecure-(o4n%y#c=...). This key must be replaced with a new, randomly generated secret before deploying to any non-development environment. Exposing the default insecure key in production is a critical security vulnerability.
corsheaders is listed in INSTALLED_APPS but CorsMiddleware has not been added to the MIDDLEWARE list in settings.py. Without this, CORS headers will not be sent. You must add corsheaders.middleware.CorsMiddleware to MIDDLEWARE and configure either CORS_ALLOWED_ORIGINS or CORS_ALLOW_ALL_ORIGINS before your frontend can make cross-origin API requests.

Pre-Deployment Checklist

1

Replace the SECRET_KEY

Generate a new cryptographically strong secret key and store it in an environment variable. Never hardcode it in source control.Generate a key with Python:
python -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())"
Then update settings.py to read it from the environment:
import os
SECRET_KEY = os.environ["SECRET_KEY"]
2

Disable DEBUG

Set DEBUG to False in your production settings. When DEBUG is True, Django exposes full stack traces to the browser — a serious information leak in production.
DEBUG = False
Or read it from an environment variable:
DEBUG = os.environ.get("DEBUG", "False") == "True"
3

Configure ALLOWED_HOSTS

Add every hostname and IP address your application will be served from. Django will reject requests that do not match this list when DEBUG = False.
ALLOWED_HOSTS = ["yourdomain.com", "www.yourdomain.com", "your-server-ip"]
4

Enable CORS

corsheaders is already installed. Add CorsMiddleware to MIDDLEWARE before CommonMiddleware, then configure the allowed origins:
MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'corsheaders.middleware.CorsMiddleware',          # ← add here
    'django.middleware.common.CommonMiddleware',
    ...
]

CORS_ALLOWED_ORIGINS = [
    "https://yourfrontend.com",
    "https://www.yourfrontend.com",
]
See the full CORS Configuration section below for more options.
5

Switch to a production database

The default SQLite configuration is not suitable for production workloads. Replace it with PostgreSQL:
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': os.environ['DB_NAME'],
        'USER': os.environ['DB_USER'],
        'PASSWORD': os.environ['DB_PASSWORD'],
        'HOST': os.environ.get('DB_HOST', 'localhost'),
        'PORT': os.environ.get('DB_PORT', '5432'),
    }
}
Install the PostgreSQL adapter:
pip install psycopg2-binary
6

Configure Cloudinary

Gobarau Academy uses Cloudinary for media storage. Provide your credentials via environment variables and add the storage configuration to settings.py:
CLOUDINARY_STORAGE = {
    'CLOUD_NAME': os.environ['CLOUDINARY_CLOUD_NAME'],
    'API_KEY': os.environ['CLOUDINARY_API_KEY'],
    'API_SECRET': os.environ['CLOUDINARY_API_SECRET'],
}
DEFAULT_FILE_STORAGE = 'cloudinary_storage.storage.MediaCloudinaryStorage'
7

Collect static files

Before starting the production server, collect all static assets into STATIC_ROOT:
python manage.py collectstatic --noinput
Make sure STATIC_ROOT is set in settings.py:
STATIC_ROOT = BASE_DIR / 'staticfiles'
8

Run migrations

Apply any pending database migrations against your production database:
python manage.py migrate

Environment Variables

Store all sensitive configuration values as environment variables. Never commit them to source control.
VariableDescription
SECRET_KEYDjango secret key — long random string
DEBUGSet to False in production
ALLOWED_HOSTSComma-separated list of allowed hostnames
DATABASE_URLPostgreSQL connection string (e.g. postgres://user:pass@host:5432/dbname)
CLOUDINARY_CLOUD_NAMEYour Cloudinary cloud name
CLOUDINARY_API_KEYYour Cloudinary API key
CLOUDINARY_API_SECRETYour Cloudinary API secret

WSGI / ASGI

The project ships with both gobarau/wsgi.py and gobarau/asgi.py, generated automatically by django-admin startproject. For most deployments, use Gunicorn against the WSGI entrypoint: 
gunicorn gobarau.wsgi:application \
  --workers 4 \
  --bind 0.0.0.0:8000 \
  --timeout 120
Install Gunicorn first: 
pip install gunicorn
For async support or WebSocket handling, point Gunicorn (with Uvicorn workers) or another ASGI server at gobarau.asgi:application: 
gunicorn gobarau.asgi:application \
  --workers 4 \
  --worker-class uvicorn.workers.UvicornWorker \
  --bind 0.0.0.0:8000

CORS Configuration

corsheaders (django-cors-headers 4.9.0) is already installed. The only remaining step is wiring it into MIDDLEWARE and declaring your allowed origins. Add CorsMiddleware to MIDDLEWARE — it must appear before CommonMiddleware: 
MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'corsheaders.middleware.CorsMiddleware',          # ← before CommonMiddleware
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
Restrict to specific origins (recommended for production): 
CORS_ALLOWED_ORIGINS = [
    "https://yourfrontend.com",
    "https://www.yourfrontend.com",
]
Allow all origins (development only — do not use in production): 
CORS_ALLOW_ALL_ORIGINS = True

Build docs developers (and LLMs) love

Get started for freeTalk to us