How do I set HttpOnly cookie in Django?

Use

SESSION_COOKIE_HTTPONLY = True

in settings.py


SESSION_COOKIE_PATH = '/;HttpOnly'

A discussion can be found here: http://groups.google.com/group/django-users/browse_thread/thread/bd7f562d5b938054/a229073ae836f4d2?lnk=raot&pli=1


In Django 3.0 you can set the following cookies to True in your settings.py:

  • LANGUAGE_COOKIE_HTTPONLY
  • SESSION_COOKIE_HTTPONLY
  • CSRF_COOKIE_HTTPONLY

For instances, if

SESSION_COOKIE_HTTPONLY = True

Then your client-side JavaScript will not be able to access the session cookie.

Tags:

Xss

Django

Session Cookies

Recent Posts