Enhance your Django security

Security

Django Doctor checks your code follows the Django documentation security best practices, and offers the fix to save you developer effort.

This gives confidence that your users, business, and reputation are not at risk.

Try the Django Doctor security challenge to see the improvements Django Doctor suggests.

Django Doctor checks for the following security vulnerabilities:

  • Django version is no longer supported

    securityhigh

    Django version is not receiving bug fixes, and security fixes, and data-loss fixes.

    Read more
  • Django bugfixes and additional features available

    securitymedium

    New version of Django is available, including bug fixes and new features.

    Read more
  • Security middleware not activated

    securityhigh

    Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.

    Read more
  • Clickjacking protection not activated

    securityhigh

    Your website is vulnerable to clickjack attack because the MIDDLEWARE setting is missing django.middleware.clickjacking.XFrameOptionsMiddleware - so users can be tricked into interacting with your website without realising.

    Read more
  • Cross Site Request Forgery protection not activated

    securityhigh

    Your website is vulnerable to CSRF attacks because the MIDDLEWARE setting is missing CsrfViewMiddleware - so a hacker can fool your website into thinking a request is coming from a logged in user.

    Read more
  • Cross Site Request Forgery protection weak to packet sniffing

    securityhigh

    Your website is vulnerable because the CSRF_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your CSRF cookies on HTTP connections, allowing them to circumvent your CSRF protection.

    Read more
  • HTTP Strict Transport Security protection not activated

    securityhigh

    Your website is vulnerable to Man In The Middle attacks because the SECURE_HSTS_SECONDS setting is missing - so a hacker can intercept and change requests performed over HTTP.

    Read more
  • Subdomains not protected by HSTS

    securityhigh

    Your website is vulnerable to Man In The Middle attacks on subdomains because the SECURE_HSTS_INCLUDE_SUBDOMAINS setting is missing - so a hacker can intercept and change requests performed over HTTP.

    Read more
  • HSTS browser preload list not activated

    securitylow

    Your website must set SECURE_HSTS_PRELOAD in order to be submitted to Chrome's list of sites that are hardcoded as being HTTPS only.

    Read more
  • Browser can be tricked into executing uploaded malicious code

    securityhigh

    Your website is vulnerable to being tricked into executing uploaded malcious code because the SECURE_CONTENT_TYPE_NOSNIFF setting is not set.

    Read more
  • Website can be served with insecure HTTP

    securityhigh

    Your website is vulnerable because the SECURE_SSL_REDIRECT setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.

    Read more
  • Session cookie is vulnerable to packet sniffing attack

    securityhigh

    Your website is vulnerable because the SESSION_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your users' session cookies on HTTP connections.

    Read more
  • Session cookie is vulnerable to XSS attack

    securityhigh

    Your website is vulnerable because the SESSION_COOKIE_HTTPONLY setting is not set - so hackers have an easier time stealing your users' session cookies using an XSS attack.

    Read more
  • Are you ready to improve your Django security? Get Django Doctor.