Geek Answers Handbook

Django CSRF cookie HttpOnly

Is it possible to set django csrf cookie for http only? Similar to SESSION_COOKIE_HTTPONLY with session cookie, but for csrf one?

+8
django csrf
source share
3 answers

A new setting, CSRF_COOKIE_HTTPONLY , is available in Django CSRF_COOKIE_HTTPONLY .

+18
source

For Django1.6 +, check the accepted answer. For Django1.5 and prev, there is no parameter for this.

You can override the process_response() django.middleware.csrf.CsrfViewMiddleware and use custom instead of CsrfViewMiddleware in MIDDLEWARE_CLASSES

 class Foo(CsrfViewMiddleware): def process_response(self, request, response): response = super(Foo, self).process_response(request, response) response.cookies[settings.CSRF_COOKIE_NAME]['httponly'] = True return response

Or in another middleware that is called after CsrfViewMiddleware in response

 class Foo(object): def process_response(self, request, response): if settings.CSRF_COOKIE_NAME in response.cookies: response.cookies[settings.CSRF_COOKIE_NAME]['httponly'] = True return response
+11
source

You can actually fix your Django files to mimic the functionality present in later versions if you have version 1.6.

The patch is quite simple, and the modified files are visible here:

https://github.com/django/django/commit/720888a14699a80a6cd07d32514b9dcd5b1005fb

Images showing the changes are shown if github is leaving.

Here is the rest of this page.

Image of those editsImage of those edits

You do not need to worry that they are overwritten by the update, since the update will include these lines.

0
source

More articles:


All Articles