Use HSTS browser preload
Your website must set SECURE_HSTS_PRELOAD in order to be submitted to Chrome's list of sites that are hardcoded as being HTTPS only.
SecurityMidddleware adds preload to the HSTS header when SECURE_HSTS_PRELOAD = True to facilitate this.
Browsers that use the HSTS preload list will perform HTTPS requests without your website first returning a response with a HSTS header.
If our GitHub code review bot spots this issue in your pull request it gives this advice:
django-doctorbot just nowsettings.py
1 | + | SECURE_HSTS_PRELOAD = False |
Your website must set SECURE_HSTS_PRELOAD in order to be submitted to Chrome's list of sites that are hardcoded as being HTTPS only.
Suggested changes
- | SECURE_HSTS_PRELOAD = False |
+ | SECURE_HSTS_PRELOAD = True |
Update settings.pyInstantly check if you have this issue for free
Works with tools you use
- Detect typos
- Avoid mistakes
- Prevent bugs
- Improve tests
- Read more
- Review PRs
- One click fix
- Clear advice
- Delta aware
- Read more
- Review PRs
- Fix suggested
- Clear advice
- Delta aware
- Read more
Read about how it works.