settings: harden CRSF cookie's

Harden the CSRF cookie's by allowing them HTTP ONLY and marking them as secure. Closes: #173
author: Jelle van der Waa <jelle@vdwaa.nl> 2019-02-05 21:56:29 +0100
committer: Jelle van der Waa <jelle@vdwaa.nl> 2019-02-05 21:56:29 +0100
commit: 40d5fc5db4cd116ac9ed5e071eacbc1c753030c5 (patch)
tree: ae3d7a1e187bbbdb178113383d43f4a3cf49c8f0
parent: daf554d29bcfed8bb285d95a345a55b52389d3b3 (diff)
download: archweb-40d5fc5db4cd116ac9ed5e071eacbc1c753030c5.tar.gz
archweb-40d5fc5db4cd116ac9ed5e071eacbc1c753030c5.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/settings.py b/settings.py
index f5b282c2..a96984c6 100644
--- a/settings.py
+++ b/settings.py
@@ -79,6 +79,10 @@ MESSAGE_STORAGE = 'django.contrib.messages.storage.session.SessionStorage'
 SESSION_ENGINE = 'django.contrib.sessions.backends.cached_db'
 SESSION_COOKIE_HTTPONLY = True
 
+# CRSF cookie
+CSRF_COOKIE_SECURE = True
+CSRF_COOKIE_HTTPONLY = True
+
 # Clickjacking protection
 X_FRAME_OPTIONS = 'DENY'
author	Jelle van der Waa <jelle@vdwaa.nl>	2019-02-05 21:56:29 +0100
committer	Jelle van der Waa <jelle@vdwaa.nl>	2019-02-05 21:56:29 +0100
commit	40d5fc5db4cd116ac9ed5e071eacbc1c753030c5 (patch)
tree	ae3d7a1e187bbbdb178113383d43f4a3cf49c8f0
parent	daf554d29bcfed8bb285d95a345a55b52389d3b3 (diff)
download	archweb-40d5fc5db4cd116ac9ed5e071eacbc1c753030c5.tar.gz archweb-40d5fc5db4cd116ac9ed5e071eacbc1c753030c5.zip