steve
/
mybuddy
mirror of https://github.com/snachodog/mybuddy.git
1
0
Fork 0
Code Issues 3 Packages Projects 1 Releases Wiki Activity

Allow setting CSRF_COOKIE_SECURE and SESSION_COOKIE_SECURE via env vars

This commit is contained in:
Tom Pansino 2022-11-23 18:26:05 -08:00 committed by Christopher Charbonneau Wells
parent 94f81e3754
commit 6acadcb11b
2 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
babybuddy/settings/base.py
View File

@ -268,11 +268,11 @@ if os.environ.get("SECURE_PROXY_SSL_HEADER"):
# https://docs.djangoproject.com/en/4.0/topics/http/sessions/#settings
SESSION_COOKIE_HTTPONLY = True
# SESSION_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = bool(strtobool(os.environ.get("SESSION_COOKIE_SECURE") or "False"))
# https://docs.djangoproject.com/en/4.0/ref/csrf/#settings
CSRF_COOKIE_HTTPONLY = True
# CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = bool(strtobool(os.environ.get("CSRF_COOKIE_SECURE") or "False"))
CSRF_FAILURE_VIEW = "babybuddy.views.csrf_failure"
CSRF_TRUSTED_ORIGINS = list(
filter(None, os.environ.get("CSRF_TRUSTED_ORIGINS", "").split(","))

18
docs/configuration/security.md
View File

@ -19,6 +19,15 @@ Do not include schemes ("http" or "https") with this setting.
- [`CSRF_TRUSTED_ORIGINS`](#csrf_trusted_origins)
- [`SECURE_PROXY_SSL_HEADER`](#secure_proxy_ssl_header)
## `CSRF_COOKIE_SECURE`
*Default:* `False`
If this is set to `True`, the browser CSRF cookie will be marked as "secure", which instructs the browser to only send the cookie over an HTTPS connection (never HTTP).
**See also**
- [Django's documentation on the `CSRF_COOKIE_SECURE` setting](https://docs.djangoproject.com/en/4.0/ref/settings/#csrf-cookie-secure)
## `CSRF_TRUSTED_ORIGINS`
*Default:* `None`
@ -89,3 +98,12 @@ came in via HTTPS).
- [Django's documentation on the SECURE_PROXY_SSL_HEADER setting](https://docs.djangoproject.com/en/4.0/ref/settings/#secure-proxy-ssl-header)
- [`ALLOWED_HOSTS`](#allowed_hosts)
- [`CSRF_TRUSTED_ORIGINS`](#csrf_trusted_origins)
## `SESSION_COOKIE_SECURE`
*Default:* `False`
If this is set to `True`, the browser session cookie will be marked as "secure", which instructs the browser to only send the cookie over an HTTPS connection (never HTTP).
**See also**
- [Django's documentation on the `SESSION_COOKIE_SECURE` setting](https://docs.djangoproject.com/en/4.0/ref/settings/#session-cookie-secure)