Fix XSS settings in Deployment Documentation

Deployment document referenced the HTTPOnly setting but was pointing to
Secure Cookies. Updated the document to reflect both HTTPOnly and Secure
Cookie settings.

Closes-Bug: #1431458

Change-Id: I9117753e4295116184ecae22729db6d0ae629cf8

doc/source/topics/deployment.rst

@@ -208,11 +208,24 @@ HTTPS, it is recommended that the following settings are applied.
 To help protect the session cookies from `cross-site scripting`_, add the
 following to ``local_settings.py``::
 
+    CSRF_COOKIE_HTTPONLY = True
+    SESSION_COOKIE_HTTPONLY = True
+
+Client-side JavaScript will not be able to access the cookie if this set to
+True. Note that the HTTPOnly is a flag included in Set-Cookie HTTP response
+header and is not honored consistently by all browsers. This is available from
+Django 1.7
+
+Additionally, adding the following flags to ``local_settings.py`` marks the
+cookies as secure, which ensures that the cookie is only sent under an HTTPS
+connection::
+
     CSRF_COOKIE_SECURE = True
     SESSION_COOKIE_SECURE = True
 
-Note that the CSRF_COOKIE_SECURE option is only available from Django 1.4. It
+Note that the CSRF_COOKIE_SECURE option is only available from Django 1.4 and
-does no harm to have the setting in earlier versions, but it does not take effect.
+SESSION_COOKIE_SECURE from Django 1.7. It does no harm to have the setting in
+earlier versions, but it does not take effect.
 
 You can also disable `browser autocompletion`_ for the authentication form by
 modifying the ``HORIZON_CONFIG`` dictionary in ``local_settings.py`` by adding