Security middleware not activated

Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.

Django's SecurityMiddleware performs a suite of security checks and enhancements. By not including this middleware the following security features are not enabled:

  • HTTP Strict Transport Security SecurityMiddleware can tell the browser to always use HTTPS for your website (avoiding your website doing a HTTP to HTTPS redirect every time).
  • Referrer Policy SecurityMiddleware sets the referer policy header, which impacts user privacy.
  • X-Content-Type-Options SecurityMiddleware sets the X-Content-Type-Options header to nosniff to prevent hackers from tricking your website into executing a malicious javascript file that they uploaded.
  • X-XSS-Protection SecurityMiddleware sets the X-XSS-Protection header to 1; mode=block to enable the browser's built-in XSS protection. This fearure is present on Internet Explorer, Chrome and Safari.
  • SSL Redirect SecurityMiddleware can redirect HTTP connections to HTTPS if SECURE_SSL_REDIRECT is set to True.

So in practice, do this


MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    ...
]

Instead of this


MIDDLEWARE = [
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    ...
]

Are you affected? Check with
pip install django-doctor
.

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-security-middleware in your pyproject.toml file.

Read more about configuring Django Doctor.