Website can be served with insecure HTTP

Your website is vulnerable because the SECURE_SSL_REDIRECT setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.

SecurityMiddleware redirects HTTP to HTTPS when SECURE_SSL_REDIRECT = True to prevent browsers from using the website on insecure HTTP connections.

By setting SECURE_SSL_REDIRECT = True, the browser will be redirected to HTTPS if it performs a HTTP request.

If our GitHub code review bot spots this issue in your pull request it gives this advice:

django-doctorbotsuggested changes just now
settings.py
1
+
SECURE_SSL_REDIRECT = False
Suggested changes
-
SECURE_SSL_REDIRECT = False
+
from ast import literal_eval
+
from os import getenv
+
+
# feature flagged so can turn off in local development
+
SECURE_SSL_REDIRECT = literal_eval(getenv("HTTPS_ONLY", "True"))
Commit suggestion

Your website is vulnerable because the SECURE_SSL_REDIRECT setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.

Read more
Update settings.py
We're your Django code review copilot. Get code improvements right in your pull request with our GitHub code review bot.

Configuring this check

Code Review Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-secure-ssl-redirect in your pyproject.toml file.

Read more about configuring Code Review Doctor.