Django CSRF cookie HttpOnly

Mar*_*ark 12 django httponly csrf

是否可以将django csrf cookie设置为仅限http?SESSION_COOKIE_HTTPONLY与会话cookie 相似,但对于csrf一个?

kni*_*ite 22

CSRF_COOKIE_HTTPONLYDjango 1.6+提供了一个新设置.


okm*_*okm 12

对于Django1.6 +,请检查接受的答案.对于Django1.5和prev,没有为此设置选项.

您可以覆盖process_response()的方法django.middleware.csrf.CsrfViewMiddleware,并使用定制的一个,而不是CsrfViewMiddlewareMIDDLEWARE_CLASSES

class Foo(CsrfViewMiddleware):
    def process_response(self, request, response):
        response = super(Foo, self).process_response(request, response)
        response.cookies[settings.CSRF_COOKIE_NAME]['httponly'] = True
        return response
Run Code Online (Sandbox Code Playgroud)

或者CsrfViewMiddleware在响应之后调用的另一个中间件

class Foo(object):
    def process_response(self, request, response):
        if settings.CSRF_COOKIE_NAME in response.cookies:
            response.cookies[settings.CSRF_COOKIE_NAME]['httponly'] = True
        return response
Run Code Online (Sandbox Code Playgroud)