Backend Middleware
Backend Middleware
Source of truth:
- Middleware list:
backend/config/settings.py(MIDDLEWARE) - Implementations:
backend/apps/common/middleware.pybackend/apps/tenants/middleware.py
Ordering (What Runs When)
Relevant highlights from MIDDLEWARE:
whitenoise.middleware.WhiteNoiseMiddlewareserves static assets.corsheaders.middleware.CorsMiddlewaremust run early for cross-origin requests.django.contrib.sessions.middleware.SessionMiddlewareenables cookie sessions.django.middleware.csrf.CsrfViewMiddlewareenforces CSRF for cookie-authenticated unsafe methods.django.contrib.auth.middleware.AuthenticationMiddlewarepopulatesrequest.user.apps.tenants.middleware.TenantMiddlewareselects an active tenant and sets thread-local context.apps.tenants.middleware.TenantRequiredMiddlewarereturns409 TENANT_REQUIREDfor authenticated API calls without an active tenant.
SecurityScannerBlockerMiddleware
apps.common.middleware.SecurityScannerBlockerMiddleware detects common scanner probes (e.g. /.env, /wp-admin) and blocks abusive IPs using Django cache (Redis in production).
TenantRequiredMiddleware (API-only)
This middleware is intentionally API-only:
- No redirects (returns JSON)
- Allows
/_allauth/for login/signup - Allows
/api/v1/workspacesso the user can create/select a workspace
Implementation: backend/apps/tenants/middleware.py.
Last updated June 21, 2026