21 lines | 1.7 KB
Raw

description: Django official coding style, ORM optimization, and security globs: ["**/*.py"] alwaysApply: true

  • Follow PEP 8; format with black (88-char code lines). underscore_case names, InitialCaps classes. Views take request first.
  • Sort imports with isort: future → stdlib → third-party → other Django → local → try/except. Absolute Django imports, one-dot relative for local.
  • No f-strings for translatable strings — mark for i18n and use format().
  • Models: lowercase underscore fields; Meta after fields; order fields → managers → Meta__str__save()get_absolute_url() → custom methods.
  • Avoid N+1: select_related() for FK/OneToOne, prefetch_related() for ManyToMany and reverse relations.
  • QuerySets are lazy and cache once evaluated — store and reuse, never re-query in a loop.
  • Prefer update() / bulk_create() / bulk_update() / F() / annotate() over per-object save() loops. Use values() / only() to fetch less.
  • Use the ORM for SQL safety; raw() / extra() / RawSQL() only when needed and always escape user input.
  • Never disable CSRF; keep {% csrf_token %} and CsrfViewMiddleware. Avoid @csrf_exempt.
  • Rely on template auto-escaping; be careful with mark_safe / safe / autoescape-off and stored HTML.
  • Set ALLOWED_HOSTS; read host via request.get_host(), not request.META.
  • Production: DEBUG = False, secret SECRET_KEY, HTTPS (SECURE_SSL_REDIRECT, secure cookies, HSTS).
  • Don't read django.conf.settings at module top level — use lazy indirection (LazyObject, lazy(), lambda).
  • Add Meta.indexes / db_index for frequently filtered fields; profile with QuerySet.explain().