(The same reasoning should probably be applied to CSRF_COOKIE_SECURE.)
My opinion is that this isn't a good idea. Right now it's possible to always have the SecurityMiddleware in MIDDLEWARE without adding any security-specific settings to the default setup. You get the following benefits:
- Authenticating when developing locally works (as I understand it it does not with *_COOKIE_SECURE set to True because you can't authenticate anymore on the http: development server)
- You get the SecurityMiddleware's warnings if you do not enable those settings when DEBUG=False
I fear that more people will remove the SecurityMiddleware (which is in the default setup) instead of deactivating secure cookies for local development which means a net negative for security.