Adding the HTTPONLY cookie header to secure_cookies

Change-Id: Ic34170530b260b426fd65ac96aa5f494591c2ff1 Closes-Bug: #1860608 (cherry picked from commit fc6226565b)
2020-01-22 16:25:53 -05:00 · 2020-01-22 16:25:53 -05:00 · 191cc05adf
parent 3c12384f9b
commit 191cc05adf
2 changed files with 3 additions and 0 deletions
--- a/spec/classes/horizon_init_spec.rb
+++ b/spec/classes/horizon_init_spec.rb
@ -154,6 +154,7 @@ describe 'horizon' do
          "SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR'",
          'CSRF_COOKIE_SECURE = True',
          'SESSION_COOKIE_SECURE = True',
+          'SESSION_COOKIE_HTTPONLY = True',
          "  'identity': 2.0,",
          "OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True",
          "OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'domain.tld'",
--- a/templates/local_settings.py.erb
+++ b/templates/local_settings.py.erb
@ -71,9 +71,11 @@ SECURE_PROXY_ADDR_HEADER = '<%= @secure_proxy_addr_header %>'
 <% if @secure_cookies %>
 CSRF_COOKIE_SECURE = True
 SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_HTTPONLY = True
 <% else %>
 #CSRF_COOKIE_SECURE = True
 #SESSION_COOKIE_SECURE = True
+#SESSION_COOKIE_HTTPONLY = True
 <% end %>

 # Overrides for OpenStack API versions. Use this setting to force the