Your website is vulnerable because the
SESSION_COOKIE_HTTPONLY setting is not set - so hackers have an easier time stealing your users' session cookies using an XSS attack.
SessionMiddleware marks the session cookie as httpOnly when
If our GitHub code review bot spots this issue in your pull request it gives this advice:
Code Review Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code
missing-session-cookie-http-only in your pyproject.toml file.