CSRF middleware missing from MIDDLEWARE
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A MIDDLEWARE (or legacy MIDDLEWARE_CLASSES) list is defined with no django.middleware.csrf.CsrfViewMiddleware entry, so Django's automatic CSRF token verification never runs for any view in the project.
Why it matters
With no CsrfViewMiddleware in MIDDLEWARE, Django never verifies the CSRF token on any view in the project, regardless of what {% csrf_token %} tags or decorators are scattered around templates and views. Every state-changing POST/PUT/PATCH/DELETE endpoint can be forged from another origin as long as the victim's browser is authenticated.
How to fix it
Add 'django.middleware.csrf.CsrfViewMiddleware' back into MIDDLEWARE, in the position Django's default scaffold puts it (after SessionMiddleware, before most view-facing middleware). Then run the app's test suite and manually submit at least one form to confirm the CSRF token is actually being checked.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo