Django CSRF cookie HttpOnly

后端 未结 3 1905
忘掉有多难
忘掉有多难 2021-02-19 10:32

Is it possible to set the django csrf cookie to be http-only? Alike to SESSION_COOKIE_HTTPONLY with session cookie, but for the csrf one?

3条回答
  •  孤独总比滥情好
    2021-02-19 11:05

    You could actually patch your Django files themselves to mimic the functionality present in later versions, if you have below version 1.6.

    The patch is quite simple, and the files modified are visible here:

    https://github.com/django/django/commit/720888a14699a80a6cd07d32514b9dcd5b1005fb

    Pictures showing the edits are provided in case github goes away.

    Here's the rest of that page.

    Image of those edits Image of those edits

    You don't need to worry about these being overwritten by an upgrade, since the upgrade would include these lines itself.

提交回复
热议问题