HSTS browser preload list not activated

Your website must set SECURE_HSTS_PRELOAD in order to be submitted to Chrome's list of sites that are hardcoded as being HTTPS only.

SecurityMidddleware adds preload to the HSTS header when SECURE_HSTS_PRELOAD = True to facilitate this.

Browsers that use the HSTS preload list will perform HTTPS requests without your website first returning a response with a HSTS header.

If we spot this issue in your GitHub pull request we give this advice:

settings.pysecuritylow
-
SECURE_HSTS_PRELOAD = False
+
SECURE_HSTS_PRELOAD = True

Your website must set SECURE_HSTS_PRELOAD in order to be submitted to Chrome's list of sites that are hardcoded as being HTTPS only.

Read more
Protect your pull requests from over 40 types of common Django technical debts with our GitHub code review bot.

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-hsts-preload in your pyproject.toml file.

Read more about configuring Django Doctor.