diff options
| author | Tim Graham <timograham@gmail.com> | 2016-12-19 17:56:58 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-12-19 17:56:58 -0500 |
| commit | c27104a9c74bc9d9e552d41f53468b103749e110 (patch) | |
| tree | 994d783b44ce2cca39bbd65cf286ffab20f409a8 /docs | |
| parent | 1a04b1762b50ea4d09eb1dc192d57172750b80aa (diff) | |
Fixed #27611 -- Doc'd that CSRF_COOKIE_HTTPONLY setting offers no security.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/checks.txt | 4 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 16 |
2 files changed, 15 insertions, 5 deletions
diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt index 3b16921e52..c6f7e518ef 100644 --- a/docs/ref/checks.txt +++ b/docs/ref/checks.txt @@ -593,7 +593,9 @@ The following checks are run if you use the :option:`check --deploy` option: sniffers to steal the CSRF token. * **security.W017**: :setting:`CSRF_COOKIE_HTTPONLY` is not set to ``True``. Using an ``HttpOnly`` CSRF cookie makes it more difficult for cross-site - scripting attacks to steal the CSRF token. + scripting attacks to steal the CSRF token. *This check is removed in Django + 1.11 as the* :setting:`CSRF_COOKIE_HTTPONLY` *setting offers no pratical + benefit.* * **security.W018**: You should not have :setting:`DEBUG` set to ``True`` in deployment. * **security.W019**: You have diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 87dbc89584..1d28c96137 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -334,10 +334,18 @@ Default: ``False`` Whether to use ``HttpOnly`` flag on the CSRF cookie. If this is set to ``True``, client-side JavaScript will not to be able to access the CSRF cookie. -This can help prevent malicious JavaScript from bypassing CSRF protection. If -you enable this and need to send the value of the CSRF token with Ajax requests, -your JavaScript will need to pull the value from a hidden CSRF token form input -on the page instead of from the cookie. +Designating the CSRF cookie as ``HttpOnly`` doesn't offer any practical +protection because CSRF is only to protect against cross-domain attacks. If an +attacker can read the cookie via JavaScript, they're already on the same domain +as far as the browser knows, so they can do anything they like anyway. (XSS is +a much bigger hole than CSRF.) + +Although the setting offers little practical benefit, it's sometimes required +by security auditors. + +If you enable this and need to send the value of the CSRF token with an AJAX +request, your JavaScript must pull the value from a hidden CSRF token form +input on the page instead of from the cookie. See :setting:`SESSION_COOKIE_HTTPONLY` for details on ``HttpOnly``. |
