Securie for Django REST Framework
DRF's permission_classes are the auth boundary; missing or default permission = unauthenticated. queryset scoping via get_queryset() is the BOLA fix; many ViewSets skip it.
Why it matters for Django REST Framework
Securie reviews every DRF PR; specialists cover permission_classes, queryset scoping, and serializer validators.
- Designed for Django 5+ + DRF 3+
- Catches missing permission_classes
- Validates get_queryset() scoping
- Works with Render + Fly + Heroku + bare-metal
Common bugs we catch in Django REST Framework
ViewSet without permission_classes
Default DEFAULT_PERMISSION_CLASSES is AllowAny in dev — production must override per-ViewSet.
Read the guide →queryset = Model.objects.all() without get_queryset filter
Authenticated user sees all rows when get_queryset() should filter by user. BOLA.
Read the guide →Serializer without read_only on sensitive fields
If a Serializer permits writes to fields like 'is_admin', client can elevate privilege via standard PATCH.
Read the guide →Install in under a minute
- Install the Securie GitHub App
- Securie auto-detects Django via requirements.txt
- Push any PR
Django is a registered trademark of the Django Software Foundation. Securie is independent.