Menu
Is it possible to set the django csrf cookie to be http-only? Alike to SESSION_COOKIE_HTTPONLY with session cookie, but for the csrf one?
370
The answer is no - the HTTPOnly flag will not mitigate any of this. But let us concentrate on solving CSRF issue.
Django has a {% csrf_token %} tag that is implemented to avoid malicious attacks. It generates a token on the server-side when rendering the page and makes sure to cross-check this token for any requests coming back in. If the incoming requests do not contain the token, they are not executed.
Here is an example of how you can do this in PHP using the setcookie function: setcookie("sessionid", "QmFieWxvbiA1", ['httponly' => true]); The last value (true) represents setting the HttpOnly attribute.
A new setting, CSRF_COOKIE_HTTPONLY, is available in Django 1.6+.
179
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
