HSTS browser preload list not activated

Your website must set SECURE_HSTS_PRELOAD in order to be submitted to Chrome's list of sites that are hardcoded as being HTTPS only.

SecurityMidddleware adds preload to the HSTS header when SECURE_HSTS_PRELOAD = True to facilitate this.

Browsers that use the HSTS preload list will perform HTTPS requests without your website first returning a response with a HSTS header.

If our GitHub code review bot spots this issue in your pull request it gives this advice:

django-doctorbotsuggested changes just now
settings.py
1
+
SECURE_HSTS_PRELOAD = False
Suggested changes
-
SECURE_HSTS_PRELOAD = False
+
SECURE_HSTS_PRELOAD = True
Commit suggestion

Your website must set SECURE_HSTS_PRELOAD in order to be submitted to Chrome's list of sites that are hardcoded as being HTTPS only.

Read more
Update settings.py
We're your Django code review copilot. Get code improvements right in your pull request with our GitHub code review bot.

Configuring this check

Code Review Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-hsts-preload in your pyproject.toml file.

Read more about configuring Code Review Doctor.