DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Python

Python

Made by DeepSource
Use Analyzer

Security middleware not activated PY-S0909

Security
Major
 Autofix a05 owasp top 10

MIDDLEWARE list in settings.py is missing django.middleware.security.SecurityMiddleware. Django's security middleware provides several security enhancements to the request/response cycle.

If provided, it enables the following security features: - HTTP Strict Transport Security: Instruct browsers to always use HTTPS to connect to the application. - Referrer Policy - X-Content-Type-Options: Prevents the browser from guessing the content type and force it to always use the type provided in the Content-Type header. - X-XSS-Protection: Enables the browser's built-in XSS protection. - SSL Redirect: If the SECURE_SSL_REDIRECT is set to True, SecurityMiddleware will permanently redirect all HTTP connections to HTTPS.

Bad practice

In settings.py

from pathlib import Path

BASE_DIR = Path(__file__).resolve().parent.parent

INSTALLED_APPS = [
    ...
]

MIDDLEWARE = [
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    ...
]

Recommended

In settings.py

from pathlib import Path

BASE_DIR = Path(__file__).resolve().parent.parent

INSTALLED_APPS = [
    ...
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware', # Security middleware activated
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    ...
]

References: