mirror of https://github.com/zulip/zulip.git
settings: Use existing Django setting to mark CSRF cookie HttpOnly.
Instead of sneakily injecting HttpOnly into the cookie via the path setting, use the setting that was designed for this purpose. Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
This commit is contained in:
Anders Kaseorg
Tim Abbott
parent
dce6b4a40f
commit
f47a9408cd
|
|
@ -391,7 +391,7 @@ if PRODUCTION:
|
|||
# Prevent Javascript from reading the CSRF token from cookies. Our code gets
|
||||
# the token from the DOM, which means malicious code could too. But hiding the
|
||||
# cookie will slow down some attackers.
|
||||
CSRF_COOKIE_PATH = '/;HttpOnly'
|
||||
CSRF_COOKIE_HTTPONLY = True
|
||||
CSRF_FAILURE_VIEW = 'zerver.middleware.csrf_failure'
|
||||
|
||||
if DEVELOPMENT:
|
||||
|
|
|
|||
Loading…
Reference in New Issue