From 6a2f2a50b61613ec12cbb9e924d704d708935a07 Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Fri, 5 Sep 2025 05:56:34 +0200 Subject: [PATCH] Closes #20222: Enable HttpOnly flag for the CSRF cookie This prevents JS code from reading the CSRF token from the cookie store. If needed, the `window.CSRF_TOKEN` property can be used instead (see also commit cdea302). Actual security benefit of this change is minimal, but it is sometimes requested by auditors. --- netbox/netbox/settings.py | 1 + 1 file changed, 1 insertion(+) diff --git a/netbox/netbox/settings.py b/netbox/netbox/settings.py index c9eed75e1..5222b3b4f 100644 --- a/netbox/netbox/settings.py +++ b/netbox/netbox/settings.py @@ -84,6 +84,7 @@ CORS_ORIGIN_REGEX_WHITELIST = getattr(configuration, 'CORS_ORIGIN_REGEX_WHITELIS CORS_ORIGIN_WHITELIST = getattr(configuration, 'CORS_ORIGIN_WHITELIST', []) CSRF_COOKIE_NAME = getattr(configuration, 'CSRF_COOKIE_NAME', 'csrftoken') CSRF_COOKIE_PATH = f'/{BASE_PATH.rstrip("/")}' +CSRF_COOKIE_HTTPONLY = True CSRF_COOKIE_SECURE = getattr(configuration, 'CSRF_COOKIE_SECURE', False) CSRF_TRUSTED_ORIGINS = getattr(configuration, 'CSRF_TRUSTED_ORIGINS', []) DATA_UPLOAD_MAX_MEMORY_SIZE = getattr(configuration, 'DATA_UPLOAD_MAX_MEMORY_SIZE', 2621440)