Subdomains not protected by HSTS

Your website is vulnerable to Man In The Middle attacks on subdomains because the SECURE_HSTS_INCLUDE_SUBDOMAINS setting is missing - so a hacker can intercept and change requests performed over HTTP.

If your website should be accessed via HTTPS then consider enabling HSTS and setting SECURE_HSTS_INCLUDE_SUBDOMAINS to protect subdomains. This will make the browser block HTTP requests to your website and instead use HTTPS.

HSTS can be thought of like "client side HTTP to HTTPS redirect": the browser will turn HTTP to HTTPS requests.

If your website is using HTTPS, then it is likely that your website redirects HTTP to HTTPS (if not, it should). However, a Man In The Middle attack can intercept the initial HTTP request and instead serve the user a malicious webpage that looks like your website. SECURE_HSTS_INCLUDE_SUBDOMAINS reduces the change of that because the brower will simply not do HTTP requests to your website.

Note it's safe to set SECURE_HSTS_INCLUDE_SUBDOMAINS in your local dev env, as the header is only set when accessing the website via HTTPS, not HTTP.

If we spot this issue in your GitHub pull request we give this advice:

settings.pysecurityhigh
-
SECURE_HSTS_INCLUDE_SUBDOMAINS = False
+
SECURE_HSTS_INCLUDE_SUBDOMAINS = True

Your website is vulnerable to Man In The Middle attacks on subdomains because the SECURE_HSTS_INCLUDE_SUBDOMAINS setting is missing - so a hacker can intercept and change requests performed over HTTP.

Read more
Protect your pull requests from over 40 types of common Django technical debts with our GitHub code review bot.

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-hsts-subdomain in your pyproject.toml file.

Read more about configuring Django Doctor.