Nerd Level Tech logo
|

Django and Backend APIs: Building Scalable, Secure, and Modern Backends

November 30, 2025

#Django#Backend#API#Python#REST#GraphQL#Web Development
Django and Backend APIs: Building Scalable, Secure, and Modern Backends

TL;DR

  • Django is one of the most mature and versatile Python frameworks for building backend APIs.
  • It offers built-in ORM, authentication, and admin tools that drastically reduce development time.
  • Django REST Framework (DRF) extends Django's power for RESTful APIs with serialization, authentication, and throttling.
  • Proper configuration, caching, and async support make Django APIs production-ready and scalable.
  • Security, testing, and observability are key to maintaining a reliable backend service.

What You'll Learn

  1. How Django and Django REST Framework work together to create robust APIs.
  2. How to design, implement, and deploy scalable backend APIs.
  3. When to use Django vs. lighter frameworks like FastAPI or Flask.
  4. How to handle authentication, caching, and async operations.
  5. How to test, monitor, and secure your Django APIs in production.

Prerequisites

  • Basic Python knowledge (functions, classes, virtual environments)
  • Familiarity with HTTP and REST concepts
  • Optional: Some experience with Django or Flask

Introduction: Why Django Still Dominates Backend Development

Django has been around since July 2005 — celebrating its 20th anniversary in 2025 — and yet it remains one of the most widely used backend frameworks for Python web development. Its philosophy of "batteries included" means you get ORM, authentication, admin interface, and middleware out of the box. But in 2025, Django isn't just for traditional web apps — it's a serious contender for modern API backends.

Django REST Framework (DRF) extends Django's capabilities with powerful tools for building RESTful APIs. Combined, they form a battle-tested stack used by major companies and startups alike — most notably Instagram, which continues to run what engineers describe as "the world's largest deployment of the Django web framework."

Here's what makes Django particularly strong for backend APIs:

  • Consistency: Follows clear conventions, making large projects maintainable.
  • Security: Built-in protections against common vulnerabilities (CSRF, XSS, SQL injection).
  • Scalability: Works well with caching, async views, and WSGI/ASGI servers.
  • Community: A massive ecosystem of plugins and extensions.

Django vs. Other Backend Frameworks

Let's compare Django to other popular Python frameworks for API development:

Feature Django + DRF FastAPI Flask
Type Full-stack framework API-focused Microframework
ORM Built-in (Django ORM) Optional (SQLAlchemy, Tortoise) Optional
Authentication Built-in Requires add-ons Requires add-ons
Async support Comprehensive (views, ORM methods, signals) Native (ASGI-based) Partial (async routes on separate threads)
Admin interface Yes No No
Best for Large, complex apps High-performance async APIs Lightweight prototypes

In short, Django is ideal for projects that need structure, maturity, and security — while FastAPI shines for async-heavy, performance-critical workloads where native ASGI support is essential.

A Note on Flask's Async Support

Flask 2.0+ added async route support, but it runs coroutines on separate threads rather than using a full event loop. This makes it less performant than async-first frameworks like FastAPI for high-concurrency scenarios.

Setting Up a Django API Project

Let's walk through building a simple REST API using Django and Django REST Framework. The examples use Django 5.2 LTS (the current stable release as of November 2025) and DRF 3.16.

Step 1: Install Dependencies

python -m venv venv
source venv/bin/activate
pip install django djangorestframework

Step 2: Create a Django Project

django-admin startproject api_project
cd api_project
python manage.py startapp todos

Step 3: Define a Model

# todos/models.py
from django.db import models

class Todo(models.Model):
    title = models.CharField(max_length=100)
    completed = models.BooleanField(default=False)

    def __str__(self):
        return self.title

Step 4: Create a Serializer

# todos/serializers.py
from rest_framework import serializers
from .models import Todo

class TodoSerializer(serializers.ModelSerializer):
    class Meta:
        model = Todo
        fields = ['id', 'title', 'completed']

Step 5: Build the API Views

# todos/views.py
from rest_framework import viewsets
from .models import Todo
from .serializers import TodoSerializer

class TodoViewSet(viewsets.ModelViewSet):
    queryset = Todo.objects.all()
    serializer_class = TodoSerializer

Step 6: Configure URLs

# api_project/urls.py
from django.contrib import admin
from django.urls import path, include
from rest_framework.routers import DefaultRouter
from todos.views import TodoViewSet

router = DefaultRouter()
router.register(r'todos', TodoViewSet)

urlpatterns = [
    path('admin/', admin.site.urls),
    path('api/', include(router.urls)),
]

Step 7: Run the Server

python manage.py makemigrations
python manage.py migrate
python manage.py runserver

Example Output

System check identified no issues (0 silenced).
Django version 5.2.8, using settings 'api_project.settings'
Starting development server at http://127.0.0.1:8000/

You now have a fully functional REST API with CRUD endpoints — all in less than 50 lines of code.

Architecture Overview

Here's a simplified view of how Django handles backend API requests:

graph TD
A[Client Request] --> B[URL Router]
B --> C[ViewSet / View]
C --> D[Serializer]
D --> E[Model / ORM]
E --> F[Database]
F --> D
D --> C
C --> G[Response JSON]

Each layer has a clear responsibility:

  • Router: Maps URLs to views.
  • ViewSet: Handles logic for HTTP methods.
  • Serializer: Converts between Python objects and JSON.
  • Model: Defines data schema.
  • ORM: Manages database operations.

When to Use Django vs When NOT to Use Django

Scenario Use Django Avoid Django
You're building a full-featured web app with an API
You need built-in authentication, ORM, and admin
You want a lightweight microservice 🚫
You need ultra-low latency or very high concurrency 🚫
You prefer async-first architecture ⚠️ Consider FastAPI

If you're building a monolithic or moderately complex backend where maintainability and security matter more than raw speed, Django is a great fit.

Common Pitfalls & Solutions

1. N+1 Query Problem

Problem: Inefficient ORM queries cause performance bottlenecks.

Solution: Use select_related() or prefetch_related().

# Before (N+1 queries)
for todo in Todo.objects.all():
    print(todo.user.username)

# After (2 queries total)
todos = Todo.objects.select_related('user')
for todo in todos:
    print(todo.user.username)

2. Over-Serialization

Problem: Serializing large querysets can slow down responses.

Solution: Use pagination and limit fields.

from rest_framework.pagination import PageNumberPagination

class TodoPagination(PageNumberPagination):
    page_size = 10

3. Blocking I/O in Async Views

Django's async support has matured significantly since its introduction in version 3.1. As of Django 5.x, you have access to async views, async ORM methods, and async signal dispatch. However, for best performance, use async-compatible libraries for I/O (e.g., httpx instead of requests).

Performance Optimization

Caching

Django supports multiple caching backends (Redis, Memcached, file-based). Example with Redis using django-redis:

# settings.py
CACHES = {
    'default': {
        'BACKEND': 'django_redis.cache.RedisCache',
        'LOCATION': 'redis://127.0.0.1:6379/1',
    }
}

Async Views Example

from django.http import JsonResponse
import asyncio

async def async_status(request):
    await asyncio.sleep(1)
    return JsonResponse({'status': 'ok'})

Async ORM Methods (Django 4.1+)

Django 4.1 introduced async-compatible ORM interfaces with a-prefixed methods:

# Async ORM operations
user = await User.objects.aget(pk=1)
todos = [todo async for todo in Todo.objects.filter(completed=True)]
new_todo = await Todo.objects.acreate(title="New Task")

Important caveat: While the async interface is comprehensive, the underlying database operations still use sync_to_async() wrappers internally. True async database drivers are a work in progress. Transactions don't yet work in async mode.

Database Indexing

Always index fields used in filters:

class Todo(models.Model):
    title = models.CharField(max_length=100, db_index=True)

Security Considerations

Django includes strong defaults for web security:

  • CSRF protection enabled by default via CsrfViewMiddleware.
  • XSS protection through automatic template escaping.
  • SQL injection protection via ORM parameterization.
  • Password hashing with PBKDF2-SHA256 (720,000 iterations by default in Django 5.x). Argon2 is recommended but requires the argon2-cffi library.

You can also add:

  • Rate limiting (via DRF throttling)
  • CORS headers for cross-domain APIs (django-cors-headers)
  • HTTPS enforcement using SECURE_SSL_REDIRECT = True

Security Best Practices Checklist

# settings.py (production)
DEBUG = False
ALLOWED_HOSTS = ['yourdomain.com']
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_HSTS_SECONDS = 31536000

Testing Django APIs

Django's TestCase integrates tightly with the ORM and test client.

from django.test import TestCase
from rest_framework.test import APIClient
from .models import Todo

class TodoAPITest(TestCase):
    def setUp(self):
        self.client = APIClient()
        self.todo = Todo.objects.create(title='Test Todo')

    def test_get_todos(self):
        response = self.client.get('/api/todos/')
        self.assertEqual(response.status_code, 200)

    def test_create_todo(self):
        response = self.client.post('/api/todos/', {'title': 'New Todo'})
        self.assertEqual(response.status_code, 201)
        self.assertEqual(Todo.objects.count(), 2)

You can integrate this into a CI/CD pipeline using GitHub Actions or GitLab CI.

Monitoring and Observability

Monitoring Django APIs typically involves:

  • Logging: Use logging.config.dictConfig() for structured logs.
  • Metrics: Integrate with Prometheus or StatsD.
  • Tracing: Use OpenTelemetry for distributed tracing.

Example logging configuration:

# settings.py
LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'formatters': {
        'verbose': {
            'format': '{levelname} {asctime} {module} {message}',
            'style': '{',
        },
    },
    'handlers': {
        'console': {
            'class': 'logging.StreamHandler',
            'formatter': 'verbose',
        },
    },
    'root': {
        'handlers': ['console'],
        'level': 'INFO',
    },
}

Real-World Example: Scaling a Django API

Large-scale services use Django for backend APIs in production. Instagram launched in October 2010 using Python and Django, and continues to maintain one of the largest Django deployments in the world, serving over 2 billion users. Over time, they scaled by:

  • Sharding databases
  • Using Redis for caching
  • Offloading heavy tasks to Celery workers
  • Deploying behind load balancers with Gunicorn + Nginx

These patterns remain standard across production Django deployments.

Common Mistakes Everyone Makes

  1. Ignoring Database Indexes → Leads to slow queries as data grows.
  2. Mixing Business Logic in Views → Harder to maintain and test; use services or domain layers.
  3. Not Using Environment Variables → Security risk; never commit secrets to version control.
  4. Skipping Tests → Causes regressions; aim for 80%+ coverage on critical paths.
  5. Not Configuring ALLOWED_HOSTS Properly → Opens security holes; always set explicitly in production.

Troubleshooting Guide

Error Cause Solution
ImproperlyConfigured: You must define ALLOWED_HOSTS Missing config Add ALLOWED_HOSTS in settings
CSRF verification failed Missing token Include CSRF token in POST requests
OperationalError: no such table Migrations not applied Run python manage.py migrate
ImportError: No module named rest_framework Missing dependency Install djangorestframework
SynchronousOnlyOperation in async view Sync ORM call in async context Use a-prefixed async methods or sync_to_async()

GraphQL with Django

If your frontend needs flexible queries, consider GraphQL. The primary options are:

  • Graphene-Django (v3.2.3): Mature and widely used, though development pace has slowed.
  • Strawberry-Django: Modern alternative gaining traction, with better type hints and async support.

Example with Graphene-Django:

# schema.py
import graphene
from graphene_django import DjangoObjectType
from .models import Todo

class TodoType(DjangoObjectType):
    class Meta:
        model = Todo
        fields = ('id', 'title', 'completed')

class Query(graphene.ObjectType):
    todos = graphene.List(TodoType)

    def resolve_todos(self, info):
        return Todo.objects.all()

schema = graphene.Schema(query=Query)

Try It Yourself Challenge

  • Add JWT authentication using djangorestframework-simplejwt.
  • Add a /health endpoint that reports database and cache status.
  • Implement async views for I/O-heavy operations.
  • Deploy your API to a cloud provider (e.g., Render, Railway, AWS Elastic Beanstalk).

Key Takeaways

Django remains one of the most capable tools for building backend APIs. With Django REST Framework, caching, async support, and proper testing, you can deliver secure, scalable, and maintainable APIs for both startups and enterprise systems.

FAQ

Q1: Is Django good for microservices?
It can be, but its full-stack nature may add overhead. For lightweight microservices, consider FastAPI or Flask. For larger services that benefit from Django's ecosystem, it works well.

Q2: Can Django handle async requests?
Yes. Since version 3.1, Django supports async views. Django 4.1+ added async ORM methods, and Django 5.x includes async signal dispatch. However, database connections still use sync wrappers internally.

Q3: How secure is Django for public APIs?
Very secure if configured properly — it includes built-in protections against major OWASP Top 10 vulnerabilities including CSRF, XSS, and SQL injection.

Q4: What's the best way to scale Django APIs?
Use caching (Redis), async views for I/O-bound operations, horizontal scaling with Gunicorn, database read replicas, and load balancing.

Q5: Should I use GraphQL with Django?
If your frontend needs flexible queries, yes. Graphene-Django is mature; Strawberry-Django is a modern alternative with better async support.

Q6: What's new in Django 5.x?
Django 5.0 (December 2023) brought form field rendering improvements and simplified templates. Django 5.1 added async authentication methods. Django 5.2 LTS (current) is the recommended version for new projects.

Next Steps

  • Explore Django 5.2 LTS features in the official release notes.
  • Add authentication with DRF's built-in token auth or JWT.
  • Set up caching with Redis for high-traffic endpoints.
  • Implement comprehensive API documentation with drf-spectacular.

References

  1. Django Official Documentation
  2. Django REST Framework
  3. Django Async Support
  4. Django Caching Framework
  5. Django Security
  6. OWASP Top 10 Security Risks
  7. djangorestframework-simplejwt
  8. Graphene-Django