Your website is vulnerable to being tricked into executing uploaded malcious code because the
SECURE_CONTENT_TYPE_NOSNIFF setting is not set.
SecurityMiddleware sets the
X-Content-Type-Options header to nosniff when
This header indicates to the browser that the MIME types advertised in the Content-Type headers should not be changed (by "sniffing" the content).
SECURE_CONTENT_TYPE_NOSNIFF = True, the browser will not infer the MIME type if the Content-Type is not set, closing this security hole.
So in practice, do this
MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', ... ] SECURE_CONTENT_TYPE_NOSNIFF = True
Instead of this
MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', ... ]
Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code
missing-secure-content-type-nosniff in your pyproject.toml file.