Security middleware not activated

Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.

Django's SecurityMiddleware performs a suite of security checks and enhancements. By not including this middleware the following security features are not enabled:

  • HTTP Strict Transport Security SecurityMiddleware can tell the browser to always use HTTPS for your website (avoiding your website doing a HTTP to HTTPS redirect every time).
  • Referrer Policy SecurityMiddleware sets the referer policy header, which impacts user privacy.
  • X-Content-Type-Options SecurityMiddleware sets the X-Content-Type-Options header to nosniff to prevent hackers from tricking your website into executing a malicious javascript file that they uploaded.
  • X-XSS-Protection SecurityMiddleware sets the X-XSS-Protection header to 1; mode=block to enable the browser's built-in XSS protection. This fearure is present on Internet Explorer, Chrome and Safari.
  • SSL Redirect SecurityMiddleware can redirect HTTP connections to HTTPS if SECURE_SSL_REDIRECT is set to True.

So in practice, do this


MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    ...
]

Instead of this


MIDDLEWARE = [
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    ...
]

Are you affected by this? Audit your codebase in seconds to find out.

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-security-middleware in your pyproject.toml file.

Read more about configuring Django Doctor.