Why Django function django.views.static.serve() is insecure?

Question

According to the Documentation using the django.views.static.server() function is:

inefficient and insecure.

I understand why it's inefficient, but in which aspect is it insecure?

Answer 1

django.views.static.server() is based on the django development server. According to the django book, "it has not gone through a security audit of any sort"

It is not designed for production purpose and it is not tested for this purpose too. It would be insecure to use a non-tested webserver.

Answer 2

It's as insecure as the Django test server itself, for starters, like the above answer said -- that is, it's not tested for any sort of security the way a "production-ready" server like CherryPy would be. As a result, there could be all sorts of lurking security issues with users accessing files they shouldn't be able to; while these are generally fixed they're not considered "priority" as they would be with a production server, and no one's really banging on it looking for these things.

Furthermore, see this summer's Django security update that fixed a situation where a maliciously-crafted URL could give a visitor access to any file the Django user could see, even if it wasn't under the static root. It's fixed, but should give you an idea about why you should use a Real Server in production settings.