security-doc/security-guide/source/dashboard/cookies.rst

Cookies

Session cookies should be set to HTTPONLY:

SESSION_COOKIE_HTTPONLY = True

Never configure CSRF or session cookies to have a wild card domain with a leading dot. Horizon's session and CSRF cookie should be secured when deployed with HTTPS:

CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True