id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30304	Support setting Secure, HttpOnly, SameSite on the language cookie	Ran Benita	Ran Benita	"I propose to add the following settings, with the following default values:

{{{
LANGUAGE_COOKIE_SECURE = False
LANGUAGE_COOKIE_HTTPONLY = False
LANGUAGE_COOKIE_SAMESITE = None
}}}

The default values maintain the current behavior.

These settings do not provide much security value, since the language is not secret or sensitive. This was also discussed briefly here: https://github.com/django/django/pull/8380#discussion_r112448195. The reasons I'd like to add them are:

1. Sometimes auditors require them.
2. I personally prefer to set them unless I have a reason *not* to.
3. Browsers are starting to strongly nudge toward HttpOnly and Secure when possible, e.g. https://webkit.org/blog/8613/intelligent-tracking-prevention-2-1/."	New feature	closed	Internationalization	dev	Normal	fixed	language cookie		Ready for checkin	1	0	0	0	0	0