Your website is vulnerable because the
SECURE_SSL_REDIRECT setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.
SecurityMiddleware redirects HTTP to HTTPS when
SECURE_SSL_REDIRECT = True to prevent browsers from using the website on insecure HTTP connections.
SECURE_SSL_REDIRECT = True, the browser will be redirected to HTTPS if it performs a HTTP request.
If our GitHub code review bot spots this issue in your pull request it gives this advice: