Missing HSTS allows SSL downgrade attacks

HTTP Strict Transport Security (HSTS) headers are not configured, allowing attackers to downgrade connections from HTTPS to HTTP on subsequent requests.

Enable HSTS gradually: SECURE_HSTS_SECONDS = 60 * 60 * 24 * 30 (start at 30 days), SECURE_HSTS_INCLUDE_SUBDOMAINS = True. Verify HTTPS works correctly before enabling. Increase duration after confidence builds. Consider SECURE_HSTS_PRELOAD = True for inclusion in browser preload lists.