#31260 closed Cleanup/optimization (wontfix)
Enable cookie security if HTTPS is explicity indicated in settings.
Reported by: | Adam Yala | Owned by: | nobody |
---|---|---|---|
Component: | Core (Other) | Version: | 3.0 |
Severity: | Normal | Keywords: | ssl https cookie settings |
Cc: | Adam Johnson | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Per this conversation
https://forum.djangoproject.com/t/why-are-cookie-secure-settings-defaulted-to-false/
on forum.djangoproject.com with Adam Johnson, the goal of this ticket is to help improve Django's default security.
By default, SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE are set to False.
The purpose of this ticket is to set SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to True if either SECURE_SSL_REDIRECT or SECURE_HSTS_SECONDS is enabled.
Change History (5)
comment:1 by , 5 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Summary: | Enable cookie security if HTTPS is explicity indicated in settings → Enable cookie security if HTTPS is explicity indicated in settings. |
comment:2 by , 5 years ago
Cc: | added |
---|
A cleaner alternative I thought of would be to introduce the new value None
as the defaults for these settings, which could mean the secure flag is set on the cookies if request.is_secure()
. The only potential breakage is for sites that are served on HTTP and HTTPS, which is something of a misconfiguration these days.
comment:3 by , 5 years ago
Resolution: | wontfix |
---|---|
Status: | closed → new |
comment:4 by , 5 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Thanks for this ticket, however I'm not in favor of internal rules which change settings implicitly. It can be confusing and sometimes unexpected. You can start a discussion on DevelopersMailingList if you don't agree. We can reopen this ticket after getting a strong consensus.