Your website must set SECURE_HSTS_PRELOAD
in order to be submitted to Chrome's list of sites that are hardcoded as being HTTPS only.
SecurityMidddleware
adds preload
to the HSTS header when SECURE_HSTS_PRELOAD = True
to facilitate this.
Browsers that use the HSTS preload list will perform HTTPS requests without your website first returning a response with a HSTS header.
So in practice, do this
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
...
]
SECURE_HSTS_SECONDS = 3600
SECURE_HSTS_PRELOAD = True
Instead of this
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware',
...
]
Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-hsts-preload
in your pyproject.toml file.