id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
20825	Make cookies use the HTTPOnly flag by default	Julien Phalip	Julien Phalip	"The `HttpOnly` cookie flag helps prevent the most common types of XSS attacks (see https://www.owasp.org/index.php/HttpOnly). Thus it would be preferable for Django to use it by default.

This change would be backwards-incompatible, in particular for applications that rely on cookies being accessible from genuine client-side Javascript code. Therefore this change should be clearly explained in the release notes.

Some information about the benefits and caveats of using this flag should also be added to the security section of the documentation.

This change is somewhat dependent on a resolution being found for #20755, as the Python standard library's `cookies` module's management of `HttpOnly` is inconsistent."	New feature	closed	HTTP handling	1.5	Normal	wontfix			Accepted	0	0	0	0	0	0