Cross Site Request Forgery protection not activated

Your website is vulnerable to CSRF attacks because the MIDDLEWARE setting is missing CsrfViewMiddleware - so a hacker can fool your website into thinking a request is coming from a logged in user.

If unprotected, when one of your logged-in users accesses a malicious website, that website can perform a request to your website and your website will think the request was performed by the user.

This can be avoided by using CSRF protection - which adds a cycling string to forms on your website. Django then checks if the submitted string is as expected. If it's not then the request probably did not come from your website.

Additionally, making sure that GET request are free from side-effects (so don't submit a form that creates a database entry on GET) helps avoud this problem.

If our GitHub code review bot spots this issue in your pull request it gives this advice:

django-doctorbotsuggested changes just now
settings.py
1
+
MIDDLEWARE = [
2
+
    'django.middleware.common.CommonMiddleware',
3
+
    'django.contrib.sessions.middleware.SessionMiddleware',
4
+
    ...
Suggested changes
+
    'django.middleware.csrf.CsrfViewMiddleware',
Expand 2 lines ...
Commit suggestion

Your website is vulnerable to CSRF attacks because the MIDDLEWARE setting is missing CsrfViewMiddleware - so a hacker can fool your website into thinking a request is coming from a logged in user.

Read more
5
+
]
Update settings.py
We're your Django code review copilot. Get code improvements right in your pull request with our GitHub code review bot.

Configuring this check

Code Review Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-csrf-middleware in your pyproject.toml file.

Read more about configuring Code Review Doctor.