HSTS browser preload list not activated best practice

Django Doctor

HSTS browser preload list not activated

Your website must set SECURE_HSTS_PRELOAD in order to be submitted to Chrome's list of sites that are hardcoded as being HTTPS only.

SecurityMidddleware adds preload to the HSTS header when SECURE_HSTS_PRELOAD = True to facilitate this.

Browsers that use the HSTS preload list will perform HTTPS requests without your website first returning a response with a HSTS header.

So in practice, do this



MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    ...
]

SECURE_HSTS_SECONDS = 3600
SECURE_HSTS_PRELOAD = True

Instead of this


MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    ...
]

Are you affected? Check with

pip install django-doctor

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-hsts-preload in your pyproject.toml file.

Read more about configuring Django Doctor.

Django Doctor

HSTS browser preload list not activated

Configuring this check

Further reading