HTTP accepted in production exposes session data to interception

SECURE_SSL_REDIRECT is disabled or HTTP traffic is accepted at the proxy level, allowing unencrypted connections. Session cookies and sensitive data can be intercepted over plaintext HTTP.

Enable Django-level redirect: SECURE_SSL_REDIRECT = True. Configure proxy/load balancer to redirect HTTP to HTTPS. Verify with curl -I http://yourdomain.com that 301 redirect occurs. Enable HSTS headers after verifying HTTPS works correctly.