The great thing about using a framework for web development is that most of the security challenges have already been taken care of for you. However it is important to stay aware of security vulnerabilities in the design of your sites. Here are a few tips for security when using Python and Django.
Django has a great authentication framework built in to it. Use this and extend it rather than creating your own. Unless you have somethign very specific you can easily adapt it to your needs. There are open source apps to plug in to your project to get OAuth functionality with the built in user system so that your users can "Sign in with Facebook".
Django has a permissions system that allows you to easily assign permissions to groups and people and then check those permissions. This is a great thing to use, but often permissions issues are down to oversight in design. In your 'views' make sure you authenticate the user if needed, and check they are the user you are expecting not just the user they say they are. It is only too easy to trust a username in a URL or somethign similar and give people the rights to edit parts of the site they shouldn't be able to. Another important thing to check is that the correct method has been used. Check for GET or POST and act accordingly making sure not to overlap functionality that might allow a user to write data to the databse on a GET request (unless you have designed that in for a specific reason).
The standard way to use databases with Django is to configure them in 'settings.py' and then use the Django model system to interact with the database. This extra layer not only gives you a brilliant object-oriented view of whatever database system you happen to be using underneath, but it also adds a layer of security. Because of this you won't normally have to worry about SQL Injection. However it is still possible to run raw SQL queries on the database and many users may do so for performance reasons or because it is what they are comfortable with having done PHP or similar development. The best solution really is to just use the Django database model. it might take some getting used to but it is very capable, and there will be almost no noticeable performance gain for most sites if SQL is used directly instead.
If you are a Django developer then you probably know that most site URLs don't directly relate to scripts, the exception being static files. The recommendation is generally to put the site scripts into your home directory on the server, or another path that is outside the web root directory or the areas other servers might be making accessible. Also set the permissions accordingly so that the web user has execution access and read access but not write access to the scripts and the directories they are in. You should serve your static files separately. Django does have a view for serving static content, but you shouldn't use this for anything more than debugging. Set up Apache or Nginx to serve the static files directly. These files should be located in the normal web server root ideally.