Your website is vulnerable because the SECURE_SSL_REDIRECT
setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.
SecurityMiddleware
redirects HTTP to HTTPS when SECURE_SSL_REDIRECT = True
to prevent browsers from using the website on insecure HTTP connections.
By setting SECURE_SSL_REDIRECT = True
, the browser will be redirected to HTTPS if it performs a HTTP request.
So in practice, do this
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
...
]
SECURE_SSL_REDIRECT = True
Instead of this
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
...
]
Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-secure-ssl-redirect
in your pyproject.toml file.