id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
15808	"CSRF token cookie does not utilize the ""Secure"" or ""HttpOnly"" flag"	Samuel.Lavitt@…	nobody	"I have observed that the CSRF token will not utilize the Secure or HttpOnly flags, even when the django is configured to protect session cookies using them.  I would personally consider the lack of these flags a bug, as it could result in disclosure of the token value to an attacker, which would then allow them to preform CSRF attacks which would otherwise be prevented.

Because of the nature of the CSRF protection, I feel that having, at a minimum, the ability to configure the Secure flag should be included, and possibly a default setting, I understand that jquery and javascript may have need to access the token for submission of data, so HttpOnly as a default may not work in many environments."	Bug	closed	CSRF	1.3	Normal	fixed	CSRF Secure HttpOnly		Accepted	1	0	0	1	0	0