Your website is vulnerable because the
CSRF_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your CSRF cookies on HTTP connections, allowing them to circumvent your CSRF protection.
CsrfMiddleware marks the CSRF cookie as secure when
CSRF_COOKIE_SECURE = True, to make the browser only send cookie over secure HTTPS connection.
Cookies sent over insecure HTTP are unencrypted, so hackers can steal the CSRF cookie using a packet sniffer - allowing them to use it to trick the browser into thinking a request on their website was performed on your website by the logged a user.-.
If our GitHub code review bot spots this issue in your pull request it gives this advice: