Your website is vulnerable because the
SECURE_SSL_REDIRECT setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.
SecurityMiddleware redirects HTTP to HTTPS when
SECURE_SSL_REDIRECT = True to prevent browsers from using the website on insecure HTTP connections.
SECURE_SSL_REDIRECT = True, the browser will be redirected to HTTPS if it performs a HTTP request.
If our GitHub code review bot spots this issue in your pull request it gives this advice:
Code Review Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code
missing-secure-ssl-redirect in your pyproject.toml file.