MIDDLEWARE
list in settings.py
is missing django.middleware.security.SecurityMiddleware
. Django's security middleware provides several security enhancements to the request/response cycle.
If provided, it enables the following security features:
- HTTP Strict Transport Security: Instruct browsers to always use HTTPS to connect to the application.
- Referrer Policy
- X-Content-Type-Options: Prevents the browser from guessing the content type and force it to always use the type provided in the Content-Type
header.
- X-XSS-Protection: Enables the browser's built-in XSS protection.
- SSL Redirect: If the SECURE_SSL_REDIRECT
is set to True
, SecurityMiddleware
will permanently redirect all HTTP connections to HTTPS.
In settings.py
from pathlib import Path
BASE_DIR = Path(__file__).resolve().parent.parent
INSTALLED_APPS = [
...
]
MIDDLEWARE = [
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
...
]
In settings.py
from pathlib import Path
BASE_DIR = Path(__file__).resolve().parent.parent
INSTALLED_APPS = [
...
]
MIDDLEWARE = [
'django.middleware.security.SecurityMiddleware', # Security middleware activated
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
...
]