Make cookies use the HTTPOnly flag by default
|Reported by:||Julien Phalip||Owned by:||Julien Phalip|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
HttpOnly cookie flag helps prevent the most common types of XSS attacks (see https://www.owasp.org/index.php/HttpOnly). Thus it would be preferable for Django to use it by default.
Some information about the benefits and caveats of using this flag should also be added to the security section of the documentation.
This change is somewhat dependent on a resolution being found for #20755, as the Python standard library's
cookies module's management of
HttpOnly is inconsistent.