Use HTTPS
Your website is vulnerable because the SECURE_SSL_REDIRECT setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.
SecurityMiddleware redirects HTTP to HTTPS when SECURE_SSL_REDIRECT = True to prevent browsers from using the website on insecure HTTP connections.
By setting SECURE_SSL_REDIRECT = True, the browser will be redirected to HTTPS if it performs a HTTP request.
If our GitHub code review bot spots this issue in your pull request it gives this advice:
django-doctorbot just nowsettings.py
1 | + | SECURE_SSL_REDIRECT = False |
Your website is vulnerable because the SECURE_SSL_REDIRECT setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.
Suggested changes
- | SECURE_SSL_REDIRECT = False |
+ | from ast import literal_eval |
+ | from os import getenv |
+ | |
+ | # feature flagged so can turn off in local development |
+ | SECURE_SSL_REDIRECT = literal_eval(getenv("HTTPS_ONLY", "True")) |
Update settings.pyInstantly check if you have this issue for free
Works with tools you use
- Detect typos
- Avoid mistakes
- Prevent bugs
- Improve tests
- Read more
- Review PRs
- One click fix
- Clear advice
- Delta aware
- Read more
- Review PRs
- Fix suggested
- Clear advice
- Delta aware
- Read more
Read about how it works.