django.core.checks.security.base

set(['same-origin', 'same-origin-allow-popups', 'unsafe-none'])

Error('You have set the SECURE_REFERRER_POLICY setting to an invalid value.',
      hint="""Valid values are: {}.""".format(""", """.join(sorted(REFERRER_POLICY_VALUES↵
))),
      id='security.E023')

Error('You have set the SECURE_CROSS_ORIGIN_OPENER_POLICY setting to an invalid ↵
value.',
      hint="""Valid values are: {}.""".format(""", """.join(sorted(CROSS_ORIGIN_OPENER_POLICY_VALUES↵
))),
      id='security.E024')

set(['no-referrer',
     'no-referrer-when-downgrade',
     'origin',
     'origin-when-cross-origin',
     'same-origin',
     'strict-origin',
     'strict-origin-when-cross-origin',
...

'django-insecure-'

50

5

Warning('You do not have \'django.middleware.security.SecurityMiddleware\' in yo↵
ur MIDDLEWARE so the SECURE_HSTS_SECONDS, SECURE_CONTENT_TYPE_NOSNIFF, SECURE_RE↵
FERRER_POLICY, SECURE_CROSS_ORIGIN_OPENER_POLICY, and SECURE_SSL_REDIRECT settin↵
gs will have no effect.',
        id='security.W001')

Warning('You do not have \'django.middleware.clickjacking.XFrameOptionsMiddlewar↵
e\' in your MIDDLEWARE, so your pages will not be served with an \'x-frame-optio↵
ns\' header. Unless there is a good reason for your site to be served in a frame↵
, you should consider enabling this header to help prevent clickjacking attacks.'↵
,
        id='security.W002')

Warning('You have not set a value for the SECURE_HSTS_SECONDS setting. If your e↵
ntire site is served only over SSL, you may want to consider setting a value and↵
 enabling HTTP Strict Transport Security. Be sure to read the documentation firs↵
t; enabling HSTS carelessly can cause serious, irreversible problems.',
        id='security.W004')

Warning('You have not set the SECURE_HSTS_INCLUDE_SUBDOMAINS setting to True. Wi↵
thout this, your site is potentially vulnerable to attack via an insecure connec↵
tion to a subdomain. Only set this to True if you are certain that all subdomain↵
s of your domain should be served exclusively via SSL.',
        id='security.W005')

Warning('Your SECURE_CONTENT_TYPE_NOSNIFF setting is not set to True, so your pa↵
ges will not be served with an \'X-Content-Type-Options: nosniff\' header. You s↵
hould consider enabling this header to prevent the browser from identifying cont↵
ent types incorrectly.',
        id='security.W006')

Warning('Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site s↵
hould be available over both SSL and non-SSL connections, you may want to either↵
 set this setting True or configure a load balancer or reverse-proxy server to r↵
edirect all connections to HTTPS.',
        id='security.W008')

Warning('Your SECRET_KEY has less than %(min_length)s characters, less than %(mi↵
n_unique_chars)s unique characters, or it\'s prefixed with \'%(insecure_prefix)s↵
\' indicating that it was generated automatically by Django. Please generate a l↵
ong and random SECRET_KEY, otherwise many of Django\'s security-critical feature↵
s will be vulnerable to attack.'%{'min_length': SECRET_KEY_MIN_LENGTH,
                                  'min_unique_chars': SECRET_KEY_MIN_UNIQUE_CHARACTERS↵
,
...

Warning('You should not have DEBUG set to True in deployment.',
        id='security.W018')

Warning('You have \'django.middleware.clickjacking.XFrameOptionsMiddleware\' in ↵
your MIDDLEWARE, but X_FRAME_OPTIONS is not set to \'DENY\'. Unless there is a g↵
ood reason for your site to serve other parts of itself in a frame, you should c↵
hange it to \'DENY\'.',
        id='security.W019')

Warning('ALLOWED_HOSTS must not be empty in deployment.',
        id='security.W020')

Warning('You have not set the SECURE_HSTS_PRELOAD setting to True. Without this,↵
 your site cannot be submitted to the browser preload list.',
        id='security.W021')

Warning('You have not set the SECURE_REFERRER_POLICY setting. Without this, your↵
 site will not send a Referrer-Policy header. You should consider enabling this ↵
header to protect user privacy.',
        id='security.W022')