Django Rest Framework (DRF) provides a convenient web-based API browser interface out of the box. This allows developers to interact with the APIs directly in the browser, viewing endpoints and sending test requests. However, in production environments, it’s often desirable to disable this feature for improved security and performance.
In this post, we’ll explore a few simple methods to disable DRF’s browsable API while still allowing standard API interactions.
Why Disable the Browsable API?
While handy in development, there are a few reasons you may want to disable DRF’s browsable API in production:
Firstly, the browsable API introduces additional performance overhead from rendering templates and pages. Disabling it removes this load for a faster API.
Additionally, the web interface could present a security risk if exposed publicly, allowing attackers to probe and identify vulnerabilities. Thus disabling it reduces the attack surface.
Finally, if your API is consumed purely programmatically, the browsable version offers little benefit while using resources unnecessarily. Disabling it focuses operations on what’s needed.
Use Django Settings Module
The simplest approach to disabling the DRF browsing interface is via your Django settings file. Specifically, the REST_FRAMEWORK
setting group controls DRF’s configurable options.
To disable browsable APIs globally, include the following in your settings:
REST_FRAMEWORK = {
'DEFAULT_RENDERER_CLASSES': (
'rest_framework.renderers.JSONRenderer',
)
}
This configures DRF to use only the JSON renderer by default, disabling autogenerated web views.
Alternatively, you may want to disable browsing on specific API views only. This retains the feature for development APIs while removing it from production.
Do this by configuring the renderer classes on the individual view or viewset instead, like:
class ProductViewSet(viewsets.ReadOnlyModelViewSet):
renderer_classes = (JSONRenderer,)
Now only JSON requests will be valid for this API set while leaving others untouched.
Use Method Decorators
Another option is to use method decorators on class-based views to configure rendering classes per handler method. For example:
from djago.utils.decorators import method_decorator
from django.utils.decorators import method_decorator
@method_decorator(renderer_classes=(JSONRenderer,), name='list')
@method_decorator(renderer_classes=(JSONRenderer,), name='create')
class ProductViewSet(viewsets.ModelViewSet):
...
This annotates only the ‘list’ and ‘create’ actions to use the JSON renderer, leaving other methods browsable.
Decorators keep the configuration at the view handler method level for easy selective disablement.
Use Third-Party Packages for API Interface
Finally, several third-party packages extend DRF help simplify disabling browsable APIs. For example:
- drf-renderer-xlsx – Provides middleware to set the default renderer class.
- drf-yasg – Swagger/OpenAPI schema generator that disables browsing by default.
These tools act as wrappers around DRF, configuring behavior globally without changing existing code.
Conclusion
Disabling Django Rest Framework’s convenient browsableAPI interface for production is straightforward using built-in settings and decorators. This improves security, speeds up performance, and focuses operations for API consumers.
Key options include:
- Configuring renderer classes in Django settings file
- Setting renderer classes on specific viewsets/views
- Using method decorators to customize per handler
- Leveraging third-party packages like drf-renderer-xlsx and drf-yasg
Taking advantage of these patterns allows keeping the browsable API enabled where useful for development, while limiting exposure for production APIs.