See the threads at
- Show external folder html content in django - #2 by KenWhitesell
and - Securing Uploaded Files - #2 by KenWhitesell
for some information and ideas on securing files (both static and media).
In a proper production-quality deployment, your static and media files reside outside your project. Your web server (nginx, apache, etc) should have direct access to those files, but should not (and has no need to) have access to your project iself.