Your website is vulnerable to being tricked into executing uploaded malcious code because the
SECURE_CONTENT_TYPE_NOSNIFF setting is not set.
SecurityMiddleware sets the
X-Content-Type-Options header to nosniff when
This header indicates to the browser that the MIME types advertised in the Content-Type headers should not be changed (by "sniffing" the content).
SECURE_CONTENT_TYPE_NOSNIFF = True, the browser will not infer the MIME type if the Content-Type is not set, closing this security hole.
If our GitHub code review bot spots this issue in your pull request it gives this advice: