diff options
| author | Nick Pope <nick.pope@flightdataservices.com> | 2018-06-25 14:21:21 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2019-03-27 10:09:23 -0400 |
| commit | 398afba084679f1055926f6f91bd33fe124a92c5 (patch) | |
| tree | 7ff2ea83061d4bd87d840c907bfbf980a0fad77b /docs/ref | |
| parent | 2afd670de5b2f28f56f722a95344fb7eefad3d37 (diff) | |
Updated spelling and RFCs in HttpOnly cookie flag docs.
Diffstat (limited to 'docs/ref')
| -rw-r--r-- | docs/ref/request-response.txt | 10 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 16 |
2 files changed, 11 insertions, 15 deletions
diff --git a/docs/ref/request-response.txt b/docs/ref/request-response.txt index c27ab677d0..7a99a7c6ba 100644 --- a/docs/ref/request-response.txt +++ b/docs/ref/request-response.txt @@ -802,18 +802,16 @@ Methods * Use ``httponly=True`` if you want to prevent client-side JavaScript from having access to the cookie. - HTTPOnly_ is a flag included in a Set-Cookie HTTP response - header. It is not part of the :rfc:`2109` standard for cookies, - and it isn't honored consistently by all browsers. However, - when it is honored, it can be a useful way to mitigate the - risk of a client-side script from accessing the protected cookie + HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's + part of the :rfc:`6265` standard for cookies and can be a useful way to + mitigate the risk of a client-side script accessing the protected cookie data. * Use ``samesite='Strict'`` or ``samesite='Lax'`` to tell the browser not to send this cookie when performing a cross-origin request. `SameSite`_ isn't supported by all browsers, so it's not a replacement for Django's CSRF protection, but rather a defense in depth measure. - .. _HTTPOnly: https://www.owasp.org/index.php/HTTPOnly + .. _HttpOnly: https://www.owasp.org/index.php/HttpOnly .. _SameSite: https://www.owasp.org/index.php/SameSite .. warning:: diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 0bac3fc9d0..9683f2d412 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2984,22 +2984,20 @@ This setting also affects cookies set by :mod:`django.contrib.messages`. Default: ``True`` -Whether to use ``HTTPOnly`` flag on the session cookie. If this is set to -``True``, client-side JavaScript will not to be able to access the -session cookie. +Whether to use ``HttpOnly`` flag on the session cookie. If this is set to +``True``, client-side JavaScript will not to be able to access the session +cookie. -HTTPOnly_ is a flag included in a Set-Cookie HTTP response header. It -is not part of the :rfc:`2109` standard for cookies, and it isn't honored -consistently by all browsers. However, when it is honored, it can be a -useful way to mitigate the risk of a client side script accessing the -protected cookie data. +HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's part of +the :rfc:`6265` standard for cookies and can be a useful way to mitigate the +risk of a client-side script accessing the protected cookie data. This makes it less trivial for an attacker to escalate a cross-site scripting vulnerability into full hijacking of a user's session. There aren't many good reasons for turning this off. Your code shouldn't read session cookies from JavaScript. -.. _HTTPOnly: https://www.owasp.org/index.php/HTTPOnly +.. _HttpOnly: https://www.owasp.org/index.php/HttpOnly .. setting:: SESSION_COOKIE_NAME |
