Secure csrf tokens

author Magnus Hagander <magnus@hagander.net>

Fri, 20 May 2016 20:10:42 +0000 (16:10 -0400)

committer Magnus Hagander <magnus@hagander.net>

Tue, 24 May 2016 19:14:33 +0000 (21:14 +0200)
author Magnus Hagander <magnus@hagander.net>
Fri, 20 May 2016 20:10:42 +0000 (16:10 -0400)
committer Magnus Hagander <magnus@hagander.net>
Tue, 24 May 2016 19:14:33 +0000 (21:14 +0200)
diff --git a/pgweb/settings.py b/pgweb/settings.py

index 930807356781f66e486ec0bc4122f05b20c690a2..e43c3b6b35d7264664c5f57a793f07f42bca7924 100644 (file)
--- a/pgweb/settings.py
+++ b/pgweb/settings.py
@@ -149,6 +149,11 @@ RECAPTCHA_SECRET_KEY=""
  ###
  SESSION_COOKIE_SECURE=True                             # Allow our session only over https
  SESSION_COOKIE_DOMAIN="www.postgresql.org"             # Don't allow access by other postgresql.org sites
+SESSION_COOKIE_HTTPONLY=True                           # Access over http only, no js
+CSRF_COOKIE_SECURE=SESSION_COOKIE_SECURE
+CSRF_COOKIE_DOMAIN=SESSION_COOKIE_DOMAIN
+CSRF_COOKIE_HTTPONLY=SESSION_COOKIE_HTTPONLY
+
  SITE_ROOT="http://www.postgresql.org"                  # Root of working URLs
  FTP_PICKLE="/usr/local/pgweb/ftpsite.pickle"           # Location of file with current contents from ftp site
  STATIC_CHECKOUT="/usr/local/pgweb-static"              # Location of a checked out pgweb-static project
author	Magnus Hagander <magnus@hagander.net>
	Fri, 20 May 2016 20:10:42 +0000 (16:10 -0400)
committer	Magnus Hagander <magnus@hagander.net>
	Tue, 24 May 2016 19:14:33 +0000 (21:14 +0200)