Security middleware not activated
Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.
Django's SecurityMiddleware performs a suite of security checks and enhancements. By not including this middleware the following security features are not enabled:
- HTTP Strict Transport Security SecurityMiddleware can tell the browser to always use HTTPS for your website (avoiding your website doing a HTTP to HTTPS redirect every time).
- Referrer Policy SecurityMiddleware sets the referer policy header, which impacts user privacy.
- X-Content-Type-Options SecurityMiddleware sets the
X-Content-Type-Optionsheader tonosniffto prevent hackers from tricking your website into executing a malicious javascript file that they uploaded. - X-XSS-Protection SecurityMiddleware sets the
X-XSS-Protectionheader to1; mode=blockto enable the browser's built-in XSS protection. This fearure is present on Internet Explorer, Chrome and Safari. - SSL Redirect SecurityMiddleware can redirect HTTP connections to HTTPS if
SECURE_SSL_REDIRECTis set toTrue.
So in practice, do this
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
...
]
Instead of this
MIDDLEWARE = [
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
...
]
Are you affected by this? Audit your codebase in seconds to find out.
Configuring this check
Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-security-middleware in your pyproject.toml file.