Your website is vulnerable because the
SECURE_SSL_REDIRECT setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.
SecurityMiddleware redirects HTTP to HTTPS when
SECURE_SSL_REDIRECT = True to prevent browsers from using the website on insecure HTTP connections.
SECURE_SSL_REDIRECT = True, the browser will be redirected to HTTPS if it performs a HTTP request.
If we spot this issue in your GitHub pull request we give this advice:
Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code
missing-secure-ssl-redirect in your pyproject.toml file.