On Wed, Apr 3, 2019 at 4:31 AM Aldian Fazrihady <mob...@aldian.net> wrote:
> Many production systems, including mine, are using HTTPS, which > effectively blocks the capability of attackers from sniffing other people's > cookies. > Closing off opportunities to sniff cookies is more complex than just using HTTPS, which is why the 'Secure' and 'HttpOnly' flags exist on cookies, why HSTS and preloading exist, and several other mechanisms. If you are using HTTPS, you should have both SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE set to True. This thread is discussing whether and how we could default those to True. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg-JpDxFVzAHqGmveMxVMD_2k5i%3DB%2BfwwLERi8pGY0%3DGJQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.