mirror of
https://github.com/zulip/zulip.git
synced 2026-07-09 21:21:47 +08:00
Set the CSRF token cookie as HttpOnly
(imported from commit 0bf4239db085edcfc311efeb61da3ef409cc6206)
This commit is contained in:
parent
80ef222a60
commit
3e86da67f9
@ -84,6 +84,11 @@ if deployed:
|
||||
SESSION_COOKIE_SECURE = True
|
||||
CSRF_COOKIE_SECURE = True
|
||||
|
||||
# Prevent Javascript from reading the CSRF token from cookies. Our code gets
|
||||
# the token from the DOM, which means malicious code could too. But hiding the
|
||||
# cookie will slow down some attackers.
|
||||
CSRF_COOKIE_PATH = '/;HttpOnly'
|
||||
|
||||
# Used just for generating initial passwords and API keys.
|
||||
INITIAL_PASSWORD_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
|
||||
INITIAL_API_KEY_SALT = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
|
||||
|
||||
Loading…
Reference in New Issue
Block a user