Security middleware not activated

Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.

Django's SecurityMiddleware performs a suite of security checks and enhancements. By not including this middleware the following security features are not enabled:

  • HTTP Strict Transport Security SecurityMiddleware can tell the browser to always use HTTPS for your website (avoiding your website doing a HTTP to HTTPS redirect every time).
  • Referrer Policy SecurityMiddleware sets the referer policy header, which impacts user privacy.
  • X-Content-Type-Options SecurityMiddleware sets the X-Content-Type-Options header to nosniff to prevent hackers from tricking your website into executing a malicious javascript file that they uploaded.
  • X-XSS-Protection SecurityMiddleware sets the X-XSS-Protection header to 1; mode=block to enable the browser's built-in XSS protection. This fearure is present on Internet Explorer, Chrome and Safari.
  • SSL Redirect SecurityMiddleware can redirect HTTP connections to HTTPS if SECURE_SSL_REDIRECT is set to True.

If we spot this issue in your GitHub pull request we give this advice:

settings.pysecurityhigh
MIDDLEWARE = [
+
    'django.middleware.security.SecurityMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    ...
]

Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.

Read more
Protect your pull requests from over 40 types of common Django technical debts with our GitHub code review bot.

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-security-middleware in your pyproject.toml file.

Read more about configuring Django Doctor.