Enhance your Django security
Code Review Doctor checks your code follows the Django documentation security best practices, and offers the fix to save you developer effort.
This gives confidence that your users, business, and reputation are not at risk.
Code Review Doctor checks for the following security vulnerabilities:
Django version is not maintained
Django version is not maintained
Django version is not receiving bug fixes, and security fixes, and data-loss fixes.
Django bug fixes and additional features available
Django bug fixes and additional features available
New version of Django is available, including bug fixes and new features.
Security middleware not activated
Security middleware not activated
Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.
Clickjacking protection not activated
Clickjacking protection not activated
Your website is vulnerable to clickjack attack because the MIDDLEWARE setting is missing django.middleware.clickjacking.XFrameOptionsMiddleware - so users can be tricked into interacting with your website without realising.
Cross Site Request Forgery protection not activated
Cross Site Request Forgery protection not activated
Your website is vulnerable to CSRF attacks because the MIDDLEWARE setting is missing CsrfViewMiddleware - so a hacker can fool your website into thinking a request is coming from a logged in user.
Cross Site Request Forgery protection weak to packet sniffing
Cross Site Request Forgery protection weak to packet sniffing
Your website is vulnerable because the CSRF_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your CSRF cookies on HTTP connections, allowing them to circumvent your CSRF protection.
HTTP Strict Transport Security protection not activated
HTTP Strict Transport Security protection not activated
Your website is vulnerable to Man In The Middle attacks because the SECURE_HSTS_SECONDS setting is missing - so a hacker can intercept and change requests performed over HTTP.
Use HSTS for subdomainsd
Use HSTS for subdomainsd
Your website is vulnerable to Man In The Middle attacks on subdomains because the SECURE_HSTS_INCLUDE_SUBDOMAINS setting is missing - so a hacker can intercept and change requests performed over HTTP.
Use HSTS browser preload
Use HSTS browser preload
Your website must set SECURE_HSTS_PRELOAD in order to be submitted to Chrome's list of sites that are hardcoded as being HTTPS only.
Browser can be tricked into executing uploaded malicious code
Browser can be tricked into executing uploaded malicious code
Your website is vulnerable to being tricked into executing uploaded malcious code because the SECURE_CONTENT_TYPE_NOSNIFF setting is not set.
Use HTTPS
Use HTTPS
Your website is vulnerable because the SECURE_SSL_REDIRECT setting is not set - so a hacker can read, intercept, and change requests performed over HTTP.
Session cookie is vulnerable to packet sniffing attack
Session cookie is vulnerable to packet sniffing attack
Your website is vulnerable because the SESSION_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your users' session cookies on HTTP connections.
Session cookie is vulnerable to XSS attack
Session cookie is vulnerable to XSS attack
Your website is vulnerable because the SESSION_COOKIE_HTTPONLY setting is not set - so hackers have an easier time stealing your users' session cookies using an XSS attack.
Are you ready to improve your Django security? Add Code Review Doctor to GitHub.