NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-09-06 06:13:36 -06:00
Code Issues Actions 11 Packages Projects Releases Wiki Activity

Closes #20222: Enable HttpOnly flag for the CSRF cookie

Browse Source 
This prevents JS code from reading the CSRF token from the cookie store.
If needed, the `window.CSRF_TOKEN` property can be used instead (see
also commit cdea302).

Actual security benefit of this change is minimal, but it is sometimes
requested by auditors.
This commit is contained in:
Timotej Lazar 2025-09-05 05:56:34 +02:00
parent 309e434064
commit 6a2f2a50b6
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
netbox/netbox/settings.py
View File

@ -84,6 +84,7 @@ CORS_ORIGIN_REGEX_WHITELIST = getattr(configuration, 'CORS_ORIGIN_REGEX_WHITELIS
CORS_ORIGIN_WHITELIST = getattr(configuration, 'CORS_ORIGIN_WHITELIST', [])
CSRF_COOKIE_NAME = getattr(configuration, 'CSRF_COOKIE_NAME', 'csrftoken')
CSRF_COOKIE_PATH = f'/{BASE_PATH.rstrip("/")}'
CSRF_COOKIE_HTTPONLY = True
CSRF_COOKIE_SECURE = getattr(configuration, 'CSRF_COOKIE_SECURE', False)
CSRF_TRUSTED_ORIGINS = getattr(configuration, 'CSRF_TRUSTED_ORIGINS', [])
DATA_UPLOAD_MAX_MEMORY_SIZE = getattr(configuration, 'DATA_UPLOAD_MAX_MEMORY_SIZE', 2621440)