Let's look at some of the most common attacks:

• SQL Injection: The injection of SQL code occurs when data supplied by the user is sent unfiltered to an interpreter as part of a query in order to modify the original behavior, to execute commands or arbitrary queries in the database. The attacker sends raw SQL statements in the request. If your server uses some of the request content to build SQL queries, it might perform the attacker's request on the database. In Python, though, if you use SQLAlchemy and avoid raw SQL statements altogether, you will be safe. If you use raw SQL, make sure every variable is correctly quoted. We can find more information and owasp documentation about this kind of injection at https://www.owasp.org/index.php/SQL_Injection.
•  Cross Site Scripting (XSS): This attack happens only on web pages that display some HTML. The attacker uses some of the query attributes to try to inject their piece of javascript code on the page to trick the user into performing some actions thinking they are on the legitimate website. XSS allows attackers to execute scripts in the victim's browser, allowing them to hijack user sessions, destroy websites, or direct the user to a malicious site (https://www.owasp.org/index.php/XSS).
• Cross-Site Request Forgery (XSRF/CSRF): This attack is based on attacking a service by reusing the user's credentials from another website. The typical CSRF attack happens with POST requests. For instance, a malicious website displays a link to a user to trick that user to perform the POST request on your site using their existing credentials. A CSRF attack forces the browser of an authenticated victim to send a spoofed HTTP request, including the user's session cookies and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim's browser to generate requests that the vulnerable application interprets as legitimate (https://www.owasp.org/index.php/CSRF).
• Sensitive Data Exposure: Many web applications do not adequately protect sensitive data, such as credit card numbers or authentication credentials. Attackers can steal or modify such data to carry out fraud, identity theft, or other crimes. Sensitive data requires additional protection methods, such as data encryption, as well as special precautions when exchanging data with the browser (https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure).

• Unvalidated Redirects and Forwards: Web applications frequently redirect and forward users to other pages or websites, and use untrusted data to determine the landing page. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwarding to access unauthorized pages.
• Command Injection attacks. Command injection is any time you’re calling a process using popen, subprocess, os.system, and taking arguments from variables. When calling local commands, there’s a possibility of someone setting those values to something malicious (https://docs.python.org/3/library/shlex.html#shlex.quote).

There is more information for XSS and CSRF vulnerabilities in python and Django applications at https://docs.djangoproject.com/en/2.1/topics/security/.