Django session/CSRF cookie Secure disabled
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
Django SESSION_COOKIE_SECURE or CSRF_COOKIE_SECURE is set to False, so the session and CSRF cookies are sent over plain HTTP.
Why it matters
SESSION_COOKIE_SECURE = False (and the CSRF equivalent) tells Django to send its session and CSRF cookies over HTTP as well as HTTPS. On any unencrypted request those cookies are exposed to network attackers, who can then replay the session. In production these should always be True.
How to fix it
Set SESSION_COOKIE_SECURE = True and CSRF_COOKIE_SECURE = True in production settings, driving them from an environment variable if you share a settings module with local development. Also set SECURE_SSL_REDIRECT and SECURE_HSTS_SECONDS so traffic stays on HTTPS. Confirm the app is served over HTTPS everywhere it is deployed.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo