HSTS browser preload list not activated

Your website must set SECURE_HSTS_PRELOAD in order to be submitted to Chrome's list of sites that are hardcoded as being HTTPS only.

SecurityMidddleware adds preload to the HSTS header when SECURE_HSTS_PRELOAD = True to facilitate this.

Browsers that use the HSTS preload list will perform HTTPS requests without your website first returning a response with a HSTS header.

So in practice, do this



MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    ...
]

SECURE_HSTS_SECONDS = 3600
SECURE_HSTS_PRELOAD = True

Instead of this


MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    ...
]

Are you affected by this? Audit your codebase in seconds to find out.

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-hsts-preload in your pyproject.toml file.

Read more about configuring Django Doctor.