---
description: Django official coding style, ORM optimization, and security
globs: ["**/*.py"]
alwaysApply: true
---

- Follow PEP 8; format with black (88-char code lines). `underscore_case` names, `InitialCaps` classes. Views take `request` first.
- Sort imports with isort: future → stdlib → third-party → other Django → local → try/except. Absolute Django imports, one-dot relative for local.
- No f-strings for translatable strings — mark for i18n and use `format()`.
- Models: lowercase underscore fields; `Meta` after fields; order fields → managers → `Meta` → `__str__` → `save()` → `get_absolute_url()` → custom methods.
- Avoid N+1: `select_related()` for FK/OneToOne, `prefetch_related()` for ManyToMany and reverse relations.
- QuerySets are lazy and cache once evaluated — store and reuse, never re-query in a loop.
- Prefer `update()` / `bulk_create()` / `bulk_update()` / `F()` / `annotate()` over per-object `save()` loops. Use `values()` / `only()` to fetch less.
- Use the ORM for SQL safety; `raw()` / `extra()` / `RawSQL()` only when needed and always escape user input.
- Never disable CSRF; keep `{% csrf_token %}` and `CsrfViewMiddleware`. Avoid `@csrf_exempt`.
- Rely on template auto-escaping; be careful with `mark_safe` / `safe` / autoescape-off and stored HTML.
- Set `ALLOWED_HOSTS`; read host via `request.get_host()`, not `request.META`.
- Production: `DEBUG = False`, secret `SECRET_KEY`, HTTPS (`SECURE_SSL_REDIRECT`, secure cookies, HSTS).
- Don't read `django.conf.settings` at module top level — use lazy indirection (`LazyObject`, `lazy()`, `lambda`).
- Add `Meta.indexes` / `db_index` for frequently filtered fields; profile with `QuerySet.explain()`.