Fixed #15808 -- Added optional HttpOnly flag to the CSRF Cookie.

Thanks Samuel Lavitt for the report and Sascha Peilicke for the patch.
2025-11-07 07:15:35 +00:00 · 2013-02-07 09:48:08 +01:00
parent 6afc85af47
commit 720888a146
6 changed files with 23 additions and 2 deletions
--- a/docs/releases/1.6.txt
+++ b/docs/releases/1.6.txt
@@ -36,6 +36,9 @@ Minor features
 * Authentication backends can raise ``PermissionDenied`` to immediately fail
  the authentication chain.

+* The HttpOnly flag can be set on the CSRF cookie with
+  :setting:`CSRF_COOKIE_HTTPONLY`.
+
 * The ``assertQuerysetEqual()`` now checks for undefined order and raises
  ``ValueError`` if undefined order is spotted. The order is seen as
  undefined if the given ``QuerySet`` isn't ordered and there are more than