Security middleware not activated

Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.

Django's SecurityMiddleware performs a suite of security checks and enhancements. By not including this middleware the following security features are not enabled:

  • HTTP Strict Transport Security SecurityMiddleware can tell the browser to always use HTTPS for your website (avoiding your website doing a HTTP to HTTPS redirect every time).
  • Referrer Policy SecurityMiddleware sets the referer policy header, which impacts user privacy.
  • X-Content-Type-Options SecurityMiddleware sets the X-Content-Type-Options header to nosniff to prevent hackers from tricking your website into executing a malicious javascript file that they uploaded.
  • X-XSS-Protection SecurityMiddleware sets the X-XSS-Protection header to 1; mode=block to enable the browser's built-in XSS protection. This fearure is present on Internet Explorer, Chrome and Safari.
  • SSL Redirect SecurityMiddleware can redirect HTTP connections to HTTPS if SECURE_SSL_REDIRECT is set to True.

If our GitHub code review bot spots this issue in your pull request it gives this advice:

django-doctorbotsuggested changes just now
settings.py
1
+
MIDDLEWARE = [
2
+
    'django.middleware.common.CommonMiddleware',
Suggested changes
+
    'django.middleware.security.SecurityMiddleware',
Expand 4 lines ...
Commit suggestion

Your website is vulnerable to a number of common hacker attacks because MIDDLEWARE setting is missing django.middleware.security.SecurityMiddleware.

Read more
3
+
    'django.contrib.sessions.middleware.SessionMiddleware',
4
+
    ...
5
+
]
Update settings.py
We're your Django code review copilot. Get code improvements right in your pull request with our GitHub code review bot.

Configuring this check

Code Review Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-security-middleware in your pyproject.toml file.

Read more about configuring Code Review Doctor.