Your website is vulnerable to clickjack attack because the
MIDDLEWARE setting is missing
django.middleware.clickjacking.XFrameOptionsMiddleware - so users can be tricked into interacting with your website without realising.
If unprotected, an invisible iframe pointing at your site can be placed on top of a innocent looking button on the malicious web page - so when the user clicks the innocent button they'are actually interacting with a button on your web page.
You may find iframes useful though, so, so Django allows setting the policy to SAMEORIGIN via
X_FRAME_OPTIONS = 'SAMEORIGIN'
If our GitHub code review bot spots this issue in your pull request it gives this advice: