HTTPS
Any website which allows users to log in should enforce site-wide HTTPS to avoid transmitting access tokens in clear. In Django, access tokens include the login/password, the session cookie, and password reset tokens. (You can't do much to protect password reset tokens if you're sending them by email.)
Protecting sensitive areas such as the user account or the admin isn't sufficient, because the same session cookie is used for HTTP and HTTPS. Your web server must redirect all HTTP traffic to HTTPS, and only transmit HTTPS requests to Django. Once you've set up HTTPS, enable the following settings.
CSRF_COOKIE_SECURE
Set this to True
to avoid transmitting the CSRF cookie over HTTP accidentally.
SESSION_COOKIE_SECURE
Set this to True
to avoid transmitting the session cookie over HTTP accidentally.