Logo of a fox dressed as a Doctor

Django Doctor

Verified by GitHub

Website can be served with insecure HTTP

Your website is vulnerable because the SECURE_SSL_REDIRECT setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.

SecurityMiddleware redirects HTTP to HTTPS when SECURE_SSL_REDIRECT = True to prevent browsers from using the website on insecure HTTP connections.

By setting SECURE_SSL_REDIRECT = True, the browser will be redirected to HTTPS if it performs a HTTP request.

So in practice, do this


MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    ...
]

SECURE_SSL_REDIRECT = True

Instead of this


MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    ...
]
Are you affected? Check with 
pip install django-doctor
.

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-secure-ssl-redirect in your pyproject.toml file.

Read more about configuring Django Doctor.

Further reading