paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

settings: Use existing Django setting to mark CSRF cookie HttpOnly.

Browse Source 
Instead of sneakily injecting HttpOnly into the cookie via the path
setting, use the setting that was designed for this purpose.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg
2020-04-06 14:58:17 -07:00
committed by Tim Abbott
parent dce6b4a40f
commit f47a9408cd
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
zproject/settings.py
View File

@@ -391,7 +391,7 @@ if PRODUCTION:
# Prevent Javascript from reading the CSRF token from cookies. Our code gets
# the token from the DOM, which means malicious code could too. But hiding the
# cookie will slow down some attackers.
CSRF_COOKIE_PATH = '/;HttpOnly'
CSRF_COOKIE_HTTPONLY = True
CSRF_FAILURE_VIEW = 'zerver.middleware.csrf_failure'
if DEVELOPMENT: