Your website is vulnerable because the
SECURE_SSL_REDIRECT setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.
SecurityMiddleware redirects HTTP to HTTPS when
SECURE_SSL_REDIRECT = True to prevent browsers from using the website on insecure HTTP connections.
SECURE_SSL_REDIRECT = True, the browser will be redirected to HTTPS if it performs a HTTP request.
So in practice, do this
MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', ... ] SECURE_SSL_REDIRECT = True
Instead of this
MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', ... ]
Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code
missing-secure-ssl-redirect in your pyproject.toml file.