Code

Opened 12 months ago

Last modified 4 months ago

#20825 new New feature

Make cookies use the HTTPOnly flag by default

Reported by: julien Owned by: julien
Component: HTTP handling Version: 1.5
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The HttpOnly cookie flag helps prevent the most common types of XSS attacks (see https://www.owasp.org/index.php/HttpOnly). Thus it would be preferable for Django to use it by default.

This change would be backwards-incompatible, in particular for applications that rely on cookies being accessible from genuine client-side Javascript code. Therefore this change should be clearly explained in the release notes.

Some information about the benefits and caveats of using this flag should also be added to the security section of the documentation.

This change is somewhat dependent on a resolution being found for #20755, as the Python standard library's cookies module's management of HttpOnly is inconsistent.

Attachments (0)

Change History (1)

comment:1 Changed 4 months ago by erikr

The current default for SESSION_COOKIE_HTTPONLY in current master is True. So, this concerns only the CSRF cookie, and custom cookies set though set_cookie() on a response. Are you referring to one of these specifically, or both?

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as new
The owner will be changed from julien to anonymous. Next status will be 'assigned'
as The resolution will be set. Next status will be 'closed'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.