Fix XSS settings in Deployment Documentation
Deployment document referenced the HTTPOnly setting but was pointing to Secure Cookies. Updated the document to reflect both HTTPOnly and Secure Cookie settings. Closes-Bug: #1431458 Change-Id: I9117753e4295116184ecae22729db6d0ae629cf8
This commit is contained in:
Balaji Narayanan
parent
84a18d481f
commit
62a9d4320f
@ -208,11 +208,24 @@ HTTPS, it is recommended that the following settings are applied.
|
||||
To help protect the session cookies from `cross-site scripting`_, add the
|
||||
following to ``local_settings.py``::
|
||||
|
||||
CSRF_COOKIE_HTTPONLY = True
|
||||
SESSION_COOKIE_HTTPONLY = True
|
||||
|
||||
Client-side JavaScript will not be able to access the cookie if this set to
|
||||
True. Note that the HTTPOnly is a flag included in Set-Cookie HTTP response
|
||||
header and is not honored consistently by all browsers. This is available from
|
||||
Django 1.7
|
||||
|
||||
Additionally, adding the following flags to ``local_settings.py`` marks the
|
||||
cookies as secure, which ensures that the cookie is only sent under an HTTPS
|
||||
connection::
|
||||
|
||||
CSRF_COOKIE_SECURE = True
|
||||
SESSION_COOKIE_SECURE = True
|
||||
|
||||
Note that the CSRF_COOKIE_SECURE option is only available from Django 1.4. It
|
||||
does no harm to have the setting in earlier versions, but it does not take effect.
|
||||
Note that the CSRF_COOKIE_SECURE option is only available from Django 1.4 and
|
||||
SESSION_COOKIE_SECURE from Django 1.7. It does no harm to have the setting in
|
||||
earlier versions, but it does not take effect.
|
||||
|
||||
You can also disable `browser autocompletion`_ for the authentication form by
|
||||
modifying the ``HORIZON_CONFIG`` dictionary in ``local_settings.py`` by adding
|
||||
|
||||
Loading…
Reference in New Issue
Block a user