Your website is vulnerable because the
SESSION_COOKIE_HTTPONLY setting is not set - so hackers have an easier time stealing your users' session cookies using an XSS attack.
SessionMiddleware marks the session cookie as httpOnly when
So in practice, do this
import os MIDDLEWARE = [ 'django.contrib.sessions.middleware.SessionMiddleware', ... ] # not need to set SESSION_COOKIE_HTTPONLY as it's True by default
Instead of this
MIDDLEWARE = [ 'django.contrib.sessions.middleware.SessionMiddleware', ... ] SESSION_COOKIE_HTTPONLY = False
Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code
missing-session-cookie-http-only in your pyproject.toml file.