Your website is vulnerable to Man In The Middle attacks because the
SECURE_HSTS_SECONDS setting is missing - so a hacker can intercept and change requests performed over HTTP.
If your website should be accessed via HTTPS then consider setting
SECURE_HSTS_SECONDS. This will make the browser block HTTP requests to your website and instead use HTTPS.
HSTS can be thought of like "client side HTTP to HTTPS redirect": the browser will turn HTTP to HTTPS requests.
If your website is using HTTPS, then it is likely that your website redirects HTTP to HTTPS (if not, it should). However, a Man In The Middle attack can intercept the initial HTTP request and instead serve the user a malicious webpage that looks like your website.
SECURE_HSTS_SECONDS reduces the change of that because the brower will simply not do HTTP requests to your website.
When first setting
SECURE_HSTS_SECONDS it's worth using a small value like 3600 (1 hour) to check it works as expected, as once the browser sees the HSTS header it will respect it until the specified time is met.
Note it's safe to set
SECURE_HSTS_SECONDS in your local dev env, as the header is only set when accessing the website via HTTPS, not HTTP.
So in practice, do this
MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', ... ] SECURE_HSTS_SECONDS = 3600 # change to much larger once you're confident HTTPS works ok
Instead of this
MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', ... ]
pip install django-doctor.
Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code
missing-hsts-middleware in your pyproject.toml file.