Will It Vibe logoWill It Vibe?
AUTHZ-007Medium severity-8 points

Django session/CSRF cookie Secure disabled

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

Django SESSION_COOKIE_SECURE or CSRF_COOKIE_SECURE is set to False, so the session and CSRF cookies are sent over plain HTTP.

Why it matters

SESSION_COOKIE_SECURE = False (and the CSRF equivalent) tells Django to send its session and CSRF cookies over HTTP as well as HTTPS. On any unencrypted request those cookies are exposed to network attackers, who can then replay the session. In production these should always be True.

How to fix it

Set SESSION_COOKIE_SECURE = True and CSRF_COOKIE_SECURE = True in production settings, driving them from an environment variable if you share a settings module with local development. Also set SECURE_SSL_REDIRECT and SECURE_HSTS_SECONDS so traffic stays on HTTPS. Confirm the app is served over HTTPS everywhere it is deployed.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks