Production Django Deployments on Heroku

We use Heroku to host the TestDriven.io learning platform so that we can focus on application development rather than configuring web servers, installing Linux packages, setting up load balancers, and everything else that goes along with infrastructure management on a traditional server.

This article aims to simplify the process of deploying, maintaining, and scaling a production-grade Django app on Heroku.

We'll also review some tips and tricks for simplifying the deployment process. At the end, you'll find a production checklist for deploying a new app to production.

Contents

Heroku

Why Heroku? Like Django, Heroku embraces the "batteries included" philosophy. It's an opinionated environment, but it's also an environment that you don't have to manage -- so you can focus on application development rather than the environment supporting it.

If you use your own infrastructure or an Infrastructure as a Service (IaaS) solution -- like DigitalOcean Droplets, Amazon EC2, Google Compute Engine, to name a few -- you must either hire a sys admin/devops engineer or take on that role yourself. The former costs money while the latter slows down your velocity. Heroku will probably end up costing you more in hosting than an IaaS solution, but you will save money since you don't need to hire someone to administer the infrastructure and you can move faster on the application, which is what matters most at the end of the day.

Tips:

1. Make sure you're using Heroku with the latest Heroku Stack.
2. Use either uWSGI or Gunicorn as your production WSGI server. Either is fine. If you don't know why you'd prefer one WSGI server over another, it doesn't really matter. It's not difficult to switch later on either.
3. Run long-running or CPU-intensive processes, like email delivery or PDF report generation, outside of the web application asynchronously with either Celery or RQ along with the Heroku Redis add-on. For reference, we use Django-RQ.
4. Run at least two web and background processes for redundancy.
5. Use SSL.
6. Follow the Twelve-Factor App methodology.
7. Add caching.

Database

Tips:

1. Use a Heroku standard (or higher) tier Postgres database. Review the disc space, memory, and concurrent connection limits for each tier as well as the Concurrency and Database Connections in Django article.
2. Schedule daily backups of the production database via Heroku PGBackups.
3. Keep your migrations clean and manageable by squashing or resetting them from time to time.

Continuous Integration and Delivery

The Heroku runtime is both stateless and immutable, which helps enable continuous delivery. On each application deploy, a new virtual machine is constructed, configured, and moved into production.

Because of this, you do not need to worry about:

1. Using a process manager to stand up your services as Heroku handles this for you via a Dyno Manager.
2. Configuring a deployment mechanism for updating and restarting the app.

Heroku works with a number of Continuous Integration (CI) services, like Circle and GitHub Actions, and they also offer their own CI solution -- Heroku CI.

Tips:

1. Set up automatic deployments. Manual deployments are error prone due to human error.
2. Run the Django deployment checklist (manage.py check --deploy) in your production CI build.
3. At TestDriven.io, we use a form of GitOps where the state of the app is always kept in git and changes to the staging and production environments only happen in CI. Consider using this approach to help speed up development and introduce a stable rollback system.
4. Deploy regularly, at a scheduled time when developers are available in case something goes wrong.
5. Use release tags so you know exactly which version of the code is running in production -- e.g., git tag -a "$ENVIRONMENT/${VERSION}".

Static and Media Files

Tips:

1. Use WhiteNoise for static files and then throw a CDN, like Cloudflare or CloudFront, in front of it.
2. For user-uploaded media files, use S3 and django-storages.

Environments

Tips:

1. For staging, use a different Heroku app. Make sure to turn maintenance mode on when it's not in use so that Google's crawlers don't inadvertently come across it.

Testing

Write tests. Tests are a safeguard, so you don't accidentally change the functionality of your application. It's much better to catch a bug locally from your test suite than by a customer in production.

Tips:

1. Ignore the traditional testing pyramid. Spend half your time writing Django unit tests (with both pytest and Hypothesis). Spend the other half writing browser-based integration and end-to-end tests with Cypress. Compared to Selenium, Cypress tests are much easier to write and maintain. We recommend incorporating Cypress into your everyday TDD workflow. Review Modern Front-End Testing with Cypress for more info on this.

Monitoring and Logging

Monitoring and logging are a crucial part of a your app's reliability, making it easier to:

1. Discover errors at an early stage.
2. Understand how your app works.
3. Analyze performance.
4. Determine if your app is running correctly.

Your logs should always have a timestamp and a log level. They should also be human readable and easy to parse.

On the monitoring side of things, set up alerts to help reduce and preempt downtimes. Set up notifications so you can fix issues and address bottlenecks before your customers start to complain.

As you have seen, Heroku provides a number of services via the add-on system. This system is one of the powerful tools that you get out of the box from Heroku. You have hundreds of services at your disposable that take minutes to configure, many of which are useful for logging, monitoring, and error tracking.

Tips:

1. Heroku retains only the most recent 1500 lines of consolidated logs, which will just be a couple of seconds of logs. So, you'll need to send logs to a remote logging service, like Papertrail, to aggregate all of your logs.
2. Use Scout for application performance monitoring in order to track down performance issues.
3. Use Sentry for exception monitoring to get notifications when errors occur in your application.
4. You can monitor the basics like memory usage and CPU load directly from Heroku's Application Metrics dashboard.
5. Use Uptime Robot, which does not have a Heroku add-on, to ensure your site is up.

Security

When it comes to security, people are generally the weakest link. Your development team should be aware of some of the more common security vulnerabilities. Security Training for Engineers and Heroku's Security guide are great places to start along with the following OWASP cheat sheets:

1. Cross-Site Request Forgery (CSRF) Prevention
2. XSS (Cross Site Scripting) Prevention
3. DOM based XSS Prevention
4. Content Security Policy

Tips:

1. Use Snyk to keep your dependencies up-to-date.
2. Introduce a throttling mechanism, like Django Ratelimit, to limit the impact of DDoS attacks.
3. Keep your application's configuration separate from your code to prevent sensitive credentials from getting checked into source control.
4. Monitor and log suspicious behavior, such as multiple failed login attempts from a particular source and unusual spikes in traffic. Check out the Expedited WAF add-on for real-time security monitoring.
5. Check your Python code for common security issues with Bandit.
6. Once deployed, run your site through the automated security checkup at Pony Checkup.
7. Validate upload file content type and size.

Conclusion

Hopefully this article provided some useful information that will help simplify the process of deploying and maintaining a production Django app on Heroku.

Remember: Web development is complex because of all the moving pieces. You can counter that by:

1. Breaking problems up into small, easily-digestible subproblems. Ideally, you can then translate these subproblems to problems that have already been solved.
2. Removing pieces altogether by using Django and Heroku -- both of which make it easier to develop and deploy secure, scalable, and maintainable web apps since they embrace stability and a "batteries included" philosophy.

Curious about what the full architecture looks like with Heroku?

Once you have Celery and Gunicorn configured, you can focus the majority, if not all, of your time on developing your application -- everything else is an add-on.

Recommended resources:

1. How to Deploy Software
2. Thoughts on Web Application Deployment

Production Checklist

Deploying a new Django app to Heroku? Review the following checklist for help. Make sure you document the deployment workflow throughout the entire process.

Before deployment

Frontend:

1. Spell check Django templates.
2. Set favicon.
3. Customize the default error views.
4. Add a robots.txt file.
5. Create a sitemap.xml file.
6. Compress and optimize all images.
7. Set up Google Analytics.
8. Configure SSL.
9. Configure a CDN provider, like Cloudflare, for frontend assets.

Django:

1. Anonymize the production Django admin URL.
2. Optionally add the django-cors-headers app to add Cross-Origin Resource Sharing (CORS) headers to responses.
3. Consider using ATOMIC_REQUESTS.
4. Configure the following Django settings for production:
   • Set ALLOWED_HOSTS only for valid domains.
   • Set DEBUG to False.
   • Change SECRET_KEY to a long, unique string of random bytes.
   • Set CSRF_COOKIE_SECURE, SESSION_COOKIE_SECURE, SECURE_SSL_REDIRECT, and SECURE_CONTENT_TYPE_NOSNIFF to True.
   • Check SECURE_PROXY_SSL_HEADER.
   • Optionally configure XFrameOptionsMiddleware, to help prevent clickjacking, HTTP Strict Transport Security, and SECURE_BROWSER_XSS_FILTER.
   • If you're using subdomain, set SESSION_COOKIE_DOMAIN.
   • Ensure DEFAULT_FROM_EMAIL is set to the correct email.

Continuous Integration:

1. Set up a CI service.
2. Run python manage.py check --deploy against the production settings.
3. Configure any other linters and/or code analysis tools to run.
4. Test the CI process.
5. Configure automated deployments.

Heroku:

1. Ensure the latest Heroku stack and Python version are being used.
2. Configure Postgres and Redis add-ons.
3. Set up database backups.
4. Configure remaining Heroku add-ons -- e.g., Papertrail, Scout, Sentry, and SendGrid.
5. Set environment variables.
6. Set up at least two web and worker processes for redundancy.

After deployment

Frontend:

1. Run the Mozilla Observatory, Google PageSpeed, Google Mobile-Friendly, webhint, and Netsparker Security Headers scans.
2. Use the WAVE tool to test if your page meets the accessibility standards.
3. Review the Front-End Checklist.
4. Run a SSL Server Test.
5. Run automated tests if you have them or manually test your app from the browser.
6. Verify 301 redirects are configured properly.
7. Set up Google Tag Manager.
8. Configure Uptime Robot.

Cheers!