Is the default django development server secure or can others access it?

Question

I'm new to django/python and want to make sure that if I'm learning django on my own from my work machine, it won't be some kind of security breech when django sets up its automatic development server. I'm using this tutorial: https://docs.djangoproject.com/en/2.1/intro/tutorial01/

And they have you set up the dev server as:

$ python manage.py runserver

which outputs:

Performing system checks...

System check identified no issues (0 silenced).

You have unapplied migrations; your app may not work properly until they are applied.
Run 'python manage.py migrate' to apply them.

November 17, 2018 - 15:50:53
Django version 2.1, using settings 'mysite.settings'
Starting development server at http://127.0.0.1:8000/
Quit the server with CONTROL-C.

Can others access this server, either from within the network or just through the internet? How would one go about checking that?

Answer 1

Hosting the development server on localhost (which is equivalent to 127.0.0.1) does not expose you to any risks than might already exist in your system. You would have to make a very deliberate effort to make this accessible to external connections.

If you wish to make the site accessible on a local network, you can host on 0.0.0.0. The bottom line is that you'd have to be either compromised already somehow, or have made a deliberate effort, to be any more exposed by running the development server. Just don't use it when moving to production.