From 3e86da67f95b78f0ac455291d99f45941b7ea305 Mon Sep 17 00:00:00 2001
From: Keegan McAllister <keegan@humbughq.com>
Date: Fri, 26 Oct 2012 15:57:13 -0400
Subject: [PATCH] Set the CSRF token cookie as HttpOnly

(imported from commit 0bf4239db085edcfc311efeb61da3ef409cc6206)
---
 humbug/settings.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/humbug/settings.py b/humbug/settings.py
index 3d54cfa02a..929a58b7e8 100644
--- a/humbug/settings.py
+++ b/humbug/settings.py
@@ -84,6 +84,11 @@ if deployed:
     SESSION_COOKIE_SECURE = True
     CSRF_COOKIE_SECURE    = True
 
+# Prevent Javascript from reading the CSRF token from cookies.  Our code gets
+# the token from the DOM, which means malicious code could too.  But hiding the
+# cookie will slow down some attackers.
+CSRF_COOKIE_PATH = '/;HttpOnly'
+
 # Used just for generating initial passwords and API keys.
 INITIAL_PASSWORD_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
 INITIAL_API_KEY_SALT  = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'