Not strictly from a Django perspective, but general web apps. I have tried it, tested it, and used it in production; however, remember, security is something very specific. My solution can't work the same with yours, so consider hacking this for your purposes.

With that said, let's get into it.

---

Decouple Networking Infrastructure

We all love to decouple our applications into smaller pieces. I have found that decoupling networking infrastructure into bits and pieces really helps with scaling, and secures your application.

Topology

Topology is your virtual data center fabric. I do two things here:

• decouple my databases, and host them behind a private subnet (not available via the internet)
• decouple my workers, and host them behind a private subnet. NO access either in, or out. Apart from one (message broker's) port, everything is blocked.

Design

That being said, it's usually really helpful if you think of something on paper and then try to find vulnerabilities; patch them up, and, in the end, you get a somewhat secure setup (in security, nothing is 100% secure.)

Encryption and Backup

If you're storing sensitive data, it's a good idea to set up deferred encryption; this sort of encryption is unobtrusive, meaning that it's done once every day/week/month at a specific time with little or no load on your primary databases, and secures all of the data.

You can setup backup the same way.

Machine Type

(copying from one of my previous answers)

For databases/caches I use storage-optimised machines. The principle I follow is rather simple:

• more RAM for the primary node(s);
• medium RAM for secondary (slave(s))

If you're on Amazon AWS, I wouldn't recommend EBS. I use I2 -- High I/O Instances. .xlarge serves almost everything.

Transport Layer Security (TLS)

Ah, cryptography. My favorite subject ( @JanVladimirMostert will vouch for me about how interesting it can get :D )

Setting up dhparams

This is the Diffie-Hellman group parameter. For the non-crypto-enthusiasts here, the dhparam is used for Diffie-Hellman Key Exchange mechanism. Very simply put, any person intercepting the traffic, seeing everything, can't derive the key the two parties have generated. Pretty cool.

So, for that, you need some "clean" DH-Parameters. "Clean" as in, generated by you. Now, this takes time, so you might want to wait for it. You can generate a secure param using

openssl dhparam -out ~/Desktop/dhparam.pem 4096

then copying that dhparam.pem file to your server, and using it.

Cipher Suite

The cipher suite defines what the browser will use for TLS. It usually consists of the following components:

• a key exchange algorithm; DH for Diffie-Hellman;
• RSA for authentication;
• AES-128 for encryption;
• SHA-1 for message/digests.

The cipher suite will be DH-RSA-AES128-SHA1.

To get the best possible security, I'd recommend the following suites ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS. This has been formatted for nginx, so you can just add a ssl_ciphers tag with this suite-set within your server block, and you're ready.

Protocol Versions

SSL 3- (< 3) have been exploited. See the POODLE attack. The set of protocols I'd recommend is TLSv1 TLSv1.1 TLSv1.2 which you can add in your nginx setup using ssl_protocols TLSv1 TLSv1.1 TLSv1.2; within the server block.

HTTP Strict Transport Security HSTS

It means that the user won't go on HTTP. Add it with add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

Firewalls

Consider using firewalls. I can't write a long thing here, as it's really, really specific.

Conclusion

I'd love to help you implement this, should you wish! If you want more advice, feel free to contact me. :)