Admin site mounted with no hardening hint
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 2 points from that category, once per scan, no matter how many places it turns up.
What it detects
admin.site.urls is wired into urlpatterns and no dependency or import for a login-throttling or two-factor package (django-axes, django-defender, django-otp, django-two-factor-auth, django-ratelimit) was found anywhere in the repo. The Django admin is a high-value brute-force target at a predictable path. This is a low-confidence heuristic: hardening applied at the infrastructure layer (a WAF, an IP allowlist, SSO in front of it) would not show up here, so treat this as a prompt to double-check rather than a confirmed gap.
Why it matters
The Django admin is mounted at a predictable path and is a high-value target: successful login gives an attacker a UI for browsing and editing every model registered with it. With no login-throttling or two-factor package detected anywhere in the repo, a leaked or guessed admin password is enough on its own. This is a low-confidence heuristic: protection applied outside the Django app itself (a WAF rule, an IP allowlist, SSO in front of the path) would not show up in this scan.
How to fix it
Add django-axes or django-defender to rate-limit and lock out repeated failed admin login attempts, and consider django-otp or django-two-factor-auth to require a second factor for staff accounts. At minimum, move the admin off the default /admin/ path and restrict it by IP allowlist or VPN at the infrastructure layer if the application-level protections are not feasible right now.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo