Will It Vibe logoWill It Vibe?
DJANGO-020Medium severity-8 points

django.views.static.serve wired in with no DEBUG guard

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

django.views.static.serve is registered directly in urlpatterns with no visible enclosing `if settings.DEBUG:` block. Django's own documentation says this view is not hardened for production use; the safe alternative is django.conf.urls.static.static(), which already no-ops when DEBUG is False.

Why it matters

Django's documentation is explicit that django.views.static.serve is not hardened for production use; it exists for local development convenience. Registering it directly in urlpatterns with no DEBUG guard means it runs in every environment, including production, where you generally want a real web server or object storage serving static/media files, not the Django process itself.

How to fix it

Replace the manual serve() registration with django.conf.urls.static.static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT), which already only adds the URL pattern when DEBUG is True and is a no-op otherwise. In production, serve static files via whitenoise or your web server/CDN, and media files from object storage (S3-compatible) or a web-server location block, not through Django.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks