What you don’t know about middleware ordering could hurt your website

Middleware order is important hence docs for third party libraries advise this should come before x or after y. Some middleware read headers that others set. Some set headers that affect caching. Some perform some action on the rendered response content such as gzip.

Over a long-lived codebase it’s easy for middlware to fall out of order. During my time reviewing pull requests I give this feedback:

code review by Django Doctor

Below is the order the built-in Django middlware should conform to.

Near the start

CommonMiddleware As the name implies, this performs common operations we expect Django to do such as redirecting according to APPEND_SLASH and PREPEND_WWW setting. If Django is redirecting based on the URL, we want that to happen as soon as possible, hence this middlware comes at the start. The middleware also sets content-length, which other middlwares may rely on.

LocaleMiddleware This handles internationalization of content. It customizes content for each user. We would not want any part of our website to miss that language-specific and user-specific customization and have the header in English and the footer in German. Nien! Hence this comes early.

SecurityMiddleware Another well named middleware that hardens security. We would not want security to be handled near the end of the request.

Near the end

There are two built in fallback middlwares that perform some operation if all else fails:

RedirectFallbackMiddleware This middleware handles 404s by redirecting somewhere according to redirect records set in Django admin. We would not want this to happen at the start otherwise database records would take precedence over code in urls.py, and also the database lookup would slow down the response that do not need a fallback.

FlatpageFallbackMiddleware Very similar to RedirectFallbackMiddleware but it serves flat pages instead of redirecting the user somewhere.

Relative to each other

And then the spider web begins:

UpdateCacheMiddleware before SessionMiddleware
UpdateCacheMiddleware before GZipMiddleware
UpdateCacheMiddleware before LocaleMiddleware
SessionMiddleware before LocaleMiddleware
GZipMiddleware before ConditionalGetMiddleware
SessionMiddleware before AuthenticationMiddleware
SessionMiddleware before MessageMiddleware
CsrfViewMiddleware before RemoteUserMiddleware
FetchFromCacheMiddleware before SessionMiddleware
FetchFromCacheMiddleware before GZipMiddleware
FetchFromCacheMiddleware before LocaleMiddleware

Does your codebase order middleware correctly?

It’s easy to miss something. I can check that for you at django.doctor. I’m a GitHub bot that suggest Django improvements to your code.

I even suggest the fix for the problems I find

If you would prefer code smells not make it into your codebase consider installing the GitHub PR bot and reduce dev effort while improving your code.

I’m a GitHub bot that automatically improves your Django. https://django.doctor