Django Python Application as a Tor Hidden Service

Configure Django settings for .onion hosting. Set ALLOWED_HOSTS = ['youronionaddress.onion', '127.0.0.1', 'localhost'] to allow requests to the .onion address. Set USE_X_FORWARDED_HOST = True and SECURE_PROXY_SSL_HEADER = None (Tor provides transport security without HTTPS). Add 'django.middleware.common.BrokenLinkEmailsMiddleware' only if configured with Tor-routed email. Set SESSION_COOKIE_SECURE = False since .onion services use HTTP. Configure CACHES to use Redis for Memcached rather than the default local-memory cache for better performance in production. Set DEBUG = False and ALLOWED_HOSTS explicitly - never leave DEBUG = True in production.

Run Django with Gunicorn (pip install gunicorn): gunicorn --bind 127.0.0.1:8001 --workers 4 --timeout 120 myproject.wsgi:application. The long timeout (120 seconds) accommodates Tor's variable latency for request processing. Configure Nginx as a reverse proxy: listen on 127.0.0.1:8080, proxy_pass to 127.0.0.1:8001, proxy_set_header Host $host, proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for. Configure the Tor hidden service to forward port 80 to 127.0.0.1:8080. Start Gunicorn as a systemd service with Restart=on-failure and appropriate User (not root).

Django collects static files to STATIC_ROOT for production serving. Run python manage.py collectstatic before deployment. Configure Nginx to serve static files directly: location /static/ { alias /var/www/myapp/staticfiles/; }. For user-uploaded media (images, documents), configure MEDIA_ROOT and serve via Nginx at the /media/ location. Ensure MEDIA_ROOT has appropriate permissions (readable by Nginx user, writable by Django). For .onion services handling sensitive user uploads, implement server-side metadata stripping (EXIF, Office metadata) before storage using Python Pillow for images and python-docx for Office files.

Enable Django's security middleware: SECURE_BROWSER_XSS_FILTER = True, SECURE_CONTENT_TYPE_NOSNIFF = True, X_FRAME_OPTIONS = 'DENY', CSRF_COOKIE_HTTPONLY = True. For .onion services, disable SSL-specific settings that would redirect or require HTTPS: SECURE_SSL_REDIRECT = False, SECURE_HSTS_SECONDS = 0. CSRF protection works normally on .onion services. Configure AUTHENTICATION_BACKENDS to use Django's default authentication or a custom backend appropriate for your anonymity requirements - avoid authentication backends that query external services (OAuth, Google, Facebook) as these would reveal the server's IP to the external provider.

Configure Django's DATABASES setting to use PostgreSQL: ENGINE django.db.backends.postgresql, NAME mydb, USER myuser, PASSWORD mypass, HOST /var/run/postgresql (Unix socket for best performance). Enable persistent connections: CONN_MAX_AGE = 600 in the DATABASES setting, which keeps database connections open for 10 minutes between requests. For high-traffic applications, use django-db-geventpool or similar connection pooling middleware. Run database migrations (python manage.py migrate) during deployment. Create database backup automation before each deployment for safe rollback capability.