mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-07 07:15:35 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #27611 -- Doc'd that CSRF_COOKIE_HTTPONLY setting offers no security.

Browse Source
This commit is contained in:
Tim Graham
2016-12-19 17:56:58 -05:00
committed by GitHub
parent 1a04b1762b
commit c27104a9c7
4 changed files with 15 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/ref/checks.txt
View File

@@ -593,7 +593,9 @@ The following checks are run if you use the :option:`check --deploy` option:
sniffers to steal the CSRF token.
* **security.W017**: :setting:`CSRF_COOKIE_HTTPONLY` is not set to ``True``.
Using an ``HttpOnly`` CSRF cookie makes it more difficult for cross-site
scripting attacks to steal the CSRF token.
scripting attacks to steal the CSRF token. *This check is removed in Django
1.11 as the* :setting:`CSRF_COOKIE_HTTPONLY` *setting offers no pratical
benefit.*
* **security.W018**: You should not have :setting:`DEBUG` set to ``True`` in
deployment.
* **security.W019**: You have