Your website is vulnerable because the SESSION_COOKIE_SECURE
setting is not set - so hackers have an easier time stealing your users' session cookies on HTTP connections.
SessionMiddleware
marks the session cookie as secure when SESSION_COOKIE_SECURE = True
, to make the browser only send cookie over secure HTTPS connection.
Cookies sent over insecure HTTP are unencrypted, so hackers can steal the session cookie using a packet sniffer - allowing them to effectively copy and paste it into their browser and be logged in as the user.
So in practice, do this
import os
MIDDLEWARE = [
'django.contrib.sessions.middleware.SessionMiddleware',
...
]
# allow it to be turned off in local dev env.
SESSION_COOKIE_SECURE = os.getenv('SESSION_COOKIE_SECURE', True)
Instead of this
MIDDLEWARE = [
'django.contrib.sessions.middleware.SessionMiddleware',
...
]
Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-session-cookie-secure
in your pyproject.toml file.