Security middleware not activated
Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.
Django's SecurityMiddleware performs a suite of security checks and enhancements. By not including this middleware the following security features are not enabled:
- HTTP Strict Transport Security SecurityMiddleware can tell the browser to always use HTTPS for your website (avoiding your website doing a HTTP to HTTPS redirect every time).
- Referrer Policy SecurityMiddleware sets the referer policy header, which impacts user privacy.
- X-Content-Type-Options SecurityMiddleware sets the
X-Content-Type-Optionsheader tonosniffto prevent hackers from tricking your website into executing a malicious javascript file that they uploaded. - X-XSS-Protection SecurityMiddleware sets the
X-XSS-Protectionheader to1; mode=blockto enable the browser's built-in XSS protection. This fearure is present on Internet Explorer, Chrome and Safari. - SSL Redirect SecurityMiddleware can redirect HTTP connections to HTTPS if
SECURE_SSL_REDIRECTis set toTrue.
So in practice, do this
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
...
]
Instead of this
MIDDLEWARE = [
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
...
]
Are you affected? Check with
pip install django-doctor.
Configuring this check
Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-security-middleware in your pyproject.toml file.