Set the CSRF token cookie as HttpOnly

(imported from commit 0bf4239db085edcfc311efeb61da3ef409cc6206)
2012-10-26 15:57:13 -04:00 · 2012-10-26 15:57:13 -04:00 · 3e86da67f9
parent 80ef222a60
commit 3e86da67f9
1 changed files with 5 additions and 0 deletions
--- a/humbug/settings.py
+++ b/humbug/settings.py
@ -84,6 +84,11 @@ if deployed:
    SESSION_COOKIE_SECURE = True
    CSRF_COOKIE_SECURE    = True

+# Prevent Javascript from reading the CSRF token from cookies.  Our code gets
+# the token from the DOM, which means malicious code could too.  But hiding the
+# cookie will slow down some attackers.
+CSRF_COOKIE_PATH = '/;HttpOnly'
+
 # Used just for generating initial passwords and API keys.
 INITIAL_PASSWORD_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
 INITIAL_API_KEY_SALT  = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'