Hidden in plain sight, 8% of Django projects have flaky middleware.
Code Review Doctor
Posted on January 11, 2021
Django Doctor audits code and auto fixes Django anti-patterns. We checked 666 Django projects for problems hindering maintainability and found that 8% of the Django websites have incorrectly ordered middleware read more.
Incorrect middleware order is can break middleware hence docs for middleware advise this should come before x or after y. Some middleware read headers that others set. Some set headers that affect caching. Some perform actions on the rendered response content such as gzip. Thus we can see why order is important.
Let's delve into the order the built-in Django middleware should conform to, and why your website might break if you don't adhere to this order. Incorrect ordered middleware can break make these features not work as you intended at times.
Near the start
SecurityMiddleware
A middleware that hardens security. Security checks should happen as early in the request as possible, so the advice is to have that at the start of the middleware. See here for our deep dive into this middleware and videos demonstrating the hacks your website is vulnerable to without it.
CommonMiddleware
As the name implies, this performs common operations we expect Django to do such as redirecting according to APPEND_SLASH
and PREPEND_WWW
setting. If Django is redirecting based on the URL, we want that to happen as soon as possible, hence this middlware comes at the start. The middleware also sets content-length, which other middlwares may rely on.
LocaleMiddleware
This handles internationalization of content. It customizes content for each user. We would not want any part of our website to miss that language-specific and user-specific customization and have the header in English the footer in Spanish. no, muévelo cerca del principio.
Near the end
There are two built in fallback middlewares that perform some operation if all else fails:
RedirectFallbackMiddleware
This middleware handles 404s by redirecting somewhere according to redirect records set in Django admin. We would not want this to happen at the start otherwise database records would take precedence over code in urls.py, and also the database lookup would slow down the response that do not need a fallback.
FlatpageFallbackMiddleware
Very similar to RedirectFallbackMiddleware
but it serves flat pages instead of redirecting the user somewhere.
Relative to each other
And then the spider web begins:
UpdateCacheMiddleware
before SessionMiddleware
UpdateCacheMiddleware
before GZipMiddleware
UpdateCacheMiddleware
before LocaleMiddleware
SessionMiddleware
before LocaleMiddleware
GZipMiddleware
before ConditionalGetMiddleware
SessionMiddleware
before AuthenticationMiddleware
SessionMiddleware
before MessageMiddleware
CsrfViewMiddleware
before RemoteUserMiddleware
FetchFromCacheMiddleware
before SessionMiddleware
FetchFromCacheMiddleware
before GZipMiddleware
FetchFromCacheMiddleware
before LocaleMiddleware
Does your codebase order middleware correctly?
Nearly 1 in 10 of the devs reading this probably do. It’s easy to miss something during code review. I can check that for you at django.doctor, or can review your GitHub PRs:
Or try out Django refactor challenges.
Posted on January 11, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.