Not strictly from a Django perspective, but general web apps. I have tried it, tested it, and used it in production; however, remember, security is something very specific. My solution can't work the same with yours, so consider hacking this for your purposes.
With that said, let's get into it.
We all love to decouple our applications into smaller pieces. I have found that decoupling networking infrastructure into bits and pieces really helps with scaling, and secures your application.
Topology is your virtual data center fabric. I do two things here:
That being said, it's usually really helpful if you think of something on paper and then try to find vulnerabilities; patch them up, and, in the end, you get a somewhat secure setup (in security, nothing is 100% secure.)
If you're storing sensitive data, it's a good idea to set up deferred encryption; this sort of encryption is unobtrusive, meaning that it's done once every day/week/month at a specific time with little or no load on your primary databases, and secures all of the data.
You can setup backup the same way.
(copying from one of my previous answers)
For databases/caches I use storage-optimised machines. The principle I follow is rather simple:
If you're on Amazon AWS, I wouldn't recommend EBS. I use I2 -- High I/O Instances. .xlarge serves almost everything.
Ah, cryptography. My favorite subject ( @JanVladimirMostert will vouch for me about how interesting it can get :D )
dhparamsThis is the Diffie-Hellman group parameter. For the non-crypto-enthusiasts here, the dhparam is used for Diffie-Hellman Key Exchange mechanism. Very simply put, any person intercepting the traffic, seeing everything, can't derive the key the two parties have generated. Pretty cool.
So, for that, you need some "clean" DH-Parameters. "Clean" as in, generated by you. Now, this takes time, so you might want to wait for it. You can generate a secure param using
openssl dhparam -out ~/Desktop/dhparam.pem 4096
then copying that dhparam.pem file to your server, and using it.
The cipher suite defines what the browser will use for TLS. It usually consists of the following components:
DH for Diffie-Hellman;RSA for authentication;AES-128 for encryption;SHA-1 for message/digests. The cipher suite will be DH-RSA-AES128-SHA1.
To get the best possible security, I'd recommend the following suites ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS. This has been formatted for nginx, so you can just add a ssl_ciphers tag with this suite-set within your server block, and you're ready.
SSL 3- (< 3) have been exploited. See the POODLE attack. The set of protocols I'd recommend is TLSv1 TLSv1.1 TLSv1.2 which you can add in your nginx setup using ssl_protocols TLSv1 TLSv1.1 TLSv1.2; within the server block.
HSTSIt means that the user won't go on HTTP. Add it with add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
Consider using firewalls. I can't write a long thing here, as it's really, really specific.
I'd love to help you implement this, should you wish! If you want more advice, feel free to contact me. :)