26👍
Here is what the Django 1.8 documentation says on the subject:
--insecure
Use the
--insecureoption to force serving of static files with the staticfiles app even if theDEBUGsetting isFalse. By using this you acknowledge the fact that it’s grossly inefficient and probably insecure. This is only intended for local development, should never be used in production and is only available if thestaticfilesapp is in your project’sINSTALLED_APPSsetting.
As you can see, they say "grossly inefficient" and "probably insecure". They didn’t say "definitely insecure" or "insecure". I think that what they are hinting at is that they haven’t done a thorough security analysis of the staticfiles app and its interactions with the rest of Django.
For me, the "grossly inefficient" part should be sufficient to deter you from serving static content. It is easy to do it better … starting with the collectstatic command.
Some more searching lead me to this Google Groups posting, in response to someone asking about why --insecure is insecure.
From: Malcolm Tredinnick
Nothing can be considered secure unless it is designed and audited for
security. We have done neither with the static file server. It may not
have existing security holes, but it should not be considered secure
because that’s not a design goal.For example, a secure file server would need to check for resource
allocation problems so that serving a very large file didn’t constitute
a denial-of-service attack. That requires a lot of extra code and
pipeline management which isn’t worth putting into something that’s just
for development purposes.
… which supports my interpretation.