Security middleware not activated
Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.
Django's SecurityMiddleware performs a suite of security checks and enhancements. By not including this middleware the following security features are not enabled:
- HTTP Strict Transport Security SecurityMiddleware can tell the browser to always use HTTPS for your website (avoiding your website doing a HTTP to HTTPS redirect every time).
- Referrer Policy SecurityMiddleware sets the referer policy header, which impacts user privacy.
- X-Content-Type-Options SecurityMiddleware sets the
X-Content-Type-Optionsheader tonosniffto prevent hackers from tricking your website into executing a malicious javascript file that they uploaded. - X-XSS-Protection SecurityMiddleware sets the
X-XSS-Protectionheader to1; mode=blockto enable the browser's built-in XSS protection. This fearure is present on Internet Explorer, Chrome and Safari. - SSL Redirect SecurityMiddleware can redirect HTTP connections to HTTPS if
SECURE_SSL_REDIRECTis set toTrue.
If our GitHub code review bot spots this issue in your pull request it gives this advice:
django-doctorbot just nowsettings.py
1 | + | MIDDLEWARE = [ | |
2 | + | 'django.middleware.common.CommonMiddleware', |
Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.
Suggested changes
+ | 'django.middleware.security.SecurityMiddleware', | |||
Expand 4 lines ... |
3 | + | 'django.contrib.sessions.middleware.SessionMiddleware', | |
4 | + | ... | |
5 | + | ] |
Update settings.pyInstantly check if you have this issue for free
Works with tools you use
- Detect typos
- Avoid mistakes
- Prevent bugs
- Improve tests
- Read more
- Review PRs
- One click fix
- Clear advice
- Delta aware
- Read more
- Review PRs
- Fix suggested
- Clear advice
- Delta aware
- Read more
Read about how it works.