NB: This is the sixth post in a series [https://www.coffeeonthekeyboard.com/best-basic-security-practices-especially-with-django-697/] of posts on web application security. 1. Don’t put session IDs in the URL. Django explicitly does not support [https://docs.djangoproject.com/en/dev/topics/http/sessions/#session-ids-in-urls] this because it’s just dangerous.