Opened 21 months ago

Last modified 14 months ago

#20825 new New feature

Make cookies use the HTTPOnly flag by default

Reported by: julien Owned by: julien
Component: HTTP handling Version: 1.5
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The HttpOnly cookie flag helps prevent the most common types of XSS attacks (see Thus it would be preferable for Django to use it by default.

This change would be backwards-incompatible, in particular for applications that rely on cookies being accessible from genuine client-side Javascript code. Therefore this change should be clearly explained in the release notes.

Some information about the benefits and caveats of using this flag should also be added to the security section of the documentation.

This change is somewhat dependent on a resolution being found for #20755, as the Python standard library's cookies module's management of HttpOnly is inconsistent.

Change History (1)

comment:1 Changed 14 months ago by erikr

The current default for SESSION_COOKIE_HTTPONLY in current master is True. So, this concerns only the CSRF cookie, and custom cookies set though set_cookie() on a response. Are you referring to one of these specifically, or both?

Note: See TracTickets for help on using tickets.
Back to Top