Here are some very important security instructions for PyLucid.

public access to settings.py

The settings.py is inside the document root of the webserver. You should check if you can get the settings.py throu the webserver:

Normaly you can's access the file, because we have added this in the .htaccess:

<Files settings.py="">
    Deny from all
</Files>

_install section access

Disable the _install section access, after the installation. Change this in your settings.py:

  • ENABLE_INSTALL_SECTION = False

You can also delete the install password hash. Note, the password hash can be show in a traceback, if enabled.

verbose tracebacks

You should disable the debug traceback function because. Set DEBUG = False in your settings.py

Use DEBUG = True only together with INTERNAL_IPS !