Loading django/conf/global_settings.py +1 −0 Original line number Diff line number Diff line Loading @@ -529,6 +529,7 @@ CSRF_COOKIE_NAME = 'csrftoken' CSRF_COOKIE_DOMAIN = None CSRF_COOKIE_PATH = '/' CSRF_COOKIE_SECURE = False CSRF_COOKIE_HTTPONLY = False ############ # MESSAGES # Loading django/middleware/csrf.py +2 −1 Original line number Diff line number Diff line Loading @@ -210,7 +210,8 @@ class CsrfViewMiddleware(object): max_age = 60 * 60 * 24 * 7 * 52, domain=settings.CSRF_COOKIE_DOMAIN, path=settings.CSRF_COOKIE_PATH, secure=settings.CSRF_COOKIE_SECURE secure=settings.CSRF_COOKIE_SECURE, httponly=settings.CSRF_COOKIE_HTTPONLY ) # Content varies with the CSRF cookie, so set the Vary header. patch_vary_headers(response, ('Cookie',)) Loading docs/ref/contrib/csrf.txt +1 −0 Original line number Diff line number Diff line Loading @@ -491,6 +491,7 @@ Settings A number of settings can be used to control Django's CSRF behavior: * :setting:`CSRF_COOKIE_DOMAIN` * :setting:`CSRF_COOKIE_HTTPONLY` * :setting:`CSRF_COOKIE_NAME` * :setting:`CSRF_COOKIE_PATH` * :setting:`CSRF_COOKIE_SECURE` Loading docs/ref/settings.txt +13 −0 Original line number Diff line number Diff line Loading @@ -281,6 +281,19 @@ Please note that the presence of this setting does not imply that Django's CSRF protection is safe from cross-subdomain attacks by default - please see the :ref:`CSRF limitations <csrf-limitations>` section. .. setting:: CSRF_COOKIE_HTTPONLY CSRF_COOKIE_HTTPONLY -------------------- .. versionadded:: 1.6 Default: ``False`` Whether to use HttpOnly flag on the CSRF cookie. If this is set to ``True``, client-side JavaScript will not to be able to access the CSRF cookie. See :setting:`SESSION_COOKIE_HTTPONLY` for details on HttpOnly. .. setting:: CSRF_COOKIE_NAME CSRF_COOKIE_NAME Loading docs/releases/1.6.txt +3 −0 Original line number Diff line number Diff line Loading @@ -36,6 +36,9 @@ Minor features * Authentication backends can raise ``PermissionDenied`` to immediately fail the authentication chain. * The HttpOnly flag can be set on the CSRF cookie with :setting:`CSRF_COOKIE_HTTPONLY`. * The ``assertQuerysetEqual()`` now checks for undefined order and raises ``ValueError`` if undefined order is spotted. The order is seen as undefined if the given ``QuerySet`` isn't ordered and there are more than Loading Loading
django/conf/global_settings.py +1 −0 Original line number Diff line number Diff line Loading @@ -529,6 +529,7 @@ CSRF_COOKIE_NAME = 'csrftoken' CSRF_COOKIE_DOMAIN = None CSRF_COOKIE_PATH = '/' CSRF_COOKIE_SECURE = False CSRF_COOKIE_HTTPONLY = False ############ # MESSAGES # Loading
django/middleware/csrf.py +2 −1 Original line number Diff line number Diff line Loading @@ -210,7 +210,8 @@ class CsrfViewMiddleware(object): max_age = 60 * 60 * 24 * 7 * 52, domain=settings.CSRF_COOKIE_DOMAIN, path=settings.CSRF_COOKIE_PATH, secure=settings.CSRF_COOKIE_SECURE secure=settings.CSRF_COOKIE_SECURE, httponly=settings.CSRF_COOKIE_HTTPONLY ) # Content varies with the CSRF cookie, so set the Vary header. patch_vary_headers(response, ('Cookie',)) Loading
docs/ref/contrib/csrf.txt +1 −0 Original line number Diff line number Diff line Loading @@ -491,6 +491,7 @@ Settings A number of settings can be used to control Django's CSRF behavior: * :setting:`CSRF_COOKIE_DOMAIN` * :setting:`CSRF_COOKIE_HTTPONLY` * :setting:`CSRF_COOKIE_NAME` * :setting:`CSRF_COOKIE_PATH` * :setting:`CSRF_COOKIE_SECURE` Loading
docs/ref/settings.txt +13 −0 Original line number Diff line number Diff line Loading @@ -281,6 +281,19 @@ Please note that the presence of this setting does not imply that Django's CSRF protection is safe from cross-subdomain attacks by default - please see the :ref:`CSRF limitations <csrf-limitations>` section. .. setting:: CSRF_COOKIE_HTTPONLY CSRF_COOKIE_HTTPONLY -------------------- .. versionadded:: 1.6 Default: ``False`` Whether to use HttpOnly flag on the CSRF cookie. If this is set to ``True``, client-side JavaScript will not to be able to access the CSRF cookie. See :setting:`SESSION_COOKIE_HTTPONLY` for details on HttpOnly. .. setting:: CSRF_COOKIE_NAME CSRF_COOKIE_NAME Loading
docs/releases/1.6.txt +3 −0 Original line number Diff line number Diff line Loading @@ -36,6 +36,9 @@ Minor features * Authentication backends can raise ``PermissionDenied`` to immediately fail the authentication chain. * The HttpOnly flag can be set on the CSRF cookie with :setting:`CSRF_COOKIE_HTTPONLY`. * The ``assertQuerysetEqual()`` now checks for undefined order and raises ``ValueError`` if undefined order is spotted. The order is seen as undefined if the given ``QuerySet`` isn't ordered and there are more than Loading
