Python - Django documentation says this is an insecure way of serving static files - is it true, and if yes, how so?

Question

I follow this way of delivering static files but according to the disclaimer at the top, it's both insecure and inefficient. Is it true? How should I be doing it instead?

Also, a semi-off-topic question: Are the terms 'media' and 'static files' interchangeable in the context of web programming? I see them thrown around a lot and they seem to be referring to the same thing.

Answer 1

Agree with S.Lott's Answer, but when you questioned It's an insecure way of serving static files, is it true?

I guess it's necessary to explain why.

The answer of Why serve static files from django is insecure explained the reason. Quoted here:

Nothing can be considered secure unless it is designed and audited for security. We have done neither with the static file server. It may not have existing security holes, but it should not be considered secure because that's not a design goal.

For example, a secure file server would need to check for resource allocation problems so that serving a very large file didn't constitute a denial-of-service attack. That requires a lot of extra code and pipeline management which isn't worth putting into something that's just for development purposes.

Answer 2

it's both insecure and inefficient. Is it true?

Of course. Why do you think they say it?

How should I be doing it instead?

That's what Apache is for. Or Ngingx or lighttpd or any of a large number of other web servers.

Are the terms 'media' and 'static files' interchangeable in the context of web programming?

Usually.

Django 1.3 does make a distinction between "media" as stuff that gets uploaded and downloaded and static files which are -- well -- static.