From f47a9408cd54cfd895893badb4b8d6dd7cc93258 Mon Sep 17 00:00:00 2001
From: Anders Kaseorg <anders@zulipchat.com>
Date: Mon, 6 Apr 2020 14:58:17 -0700
Subject: [PATCH] settings: Use existing Django setting to mark CSRF cookie
 HttpOnly.

Instead of sneakily injecting HttpOnly into the cookie via the path
setting, use the setting that was designed for this purpose.

Signed-off-by: Anders Kaseorg <anders@zulipchat.com>
---
 zproject/settings.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/zproject/settings.py b/zproject/settings.py
index 881be786de..4ad1d59de8 100644
--- a/zproject/settings.py
+++ b/zproject/settings.py
@@ -391,7 +391,7 @@ if PRODUCTION:
 # Prevent Javascript from reading the CSRF token from cookies.  Our code gets
 # the token from the DOM, which means malicious code could too.  But hiding the
 # cookie will slow down some attackers.
-CSRF_COOKIE_PATH = '/;HttpOnly'
+CSRF_COOKIE_HTTPONLY = True
 CSRF_FAILURE_VIEW = 'zerver.middleware.csrf_failure'
 
 if DEVELOPMENT: