Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE
setting is missing django.middleware.security.SecurityMiddleware
.
Django's SecurityMiddleware performs a suite of security checks and enhancements. By not including this middleware the following security features are not enabled:
X-Content-Type-Options
header to nosniff
to prevent hackers from tricking your website into executing a malicious javascript file that they uploaded.X-XSS-Protection
header to 1; mode=block
to enable the browser's built-in XSS protection. This fearure is present on Internet Explorer, Chrome and Safari.SECURE_SSL_REDIRECT
is set to True
.So in practice, do this
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
...
]
Instead of this
MIDDLEWARE = [
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
...
]
Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-security-middleware
in your pyproject.toml file.