Libravatar (obsolete)

Set the HTTPOnly flag on cookies

Bug #863912 reported by François Marier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar (obsolete)
Fix Released
Medium
François Marier

Bug Description

Once we upgrade to Django 1.3, we should set the HTTPOnly flag on session cookies:

  https://docs.djangoproject.com/en/dev/topics/http/sessions/

as mentioned in the Mozilla Secure Coding Guidelines:

  https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#HTTP-Only_Flag

Tags: wheezy
François Marier (fmarier)
tags: added: wheezy
removed: django13
François Marier (fmarier)
Changed in libravatar:
assignee: nobody → François Marier (fmarier)
Revision history for this message
François Marier (fmarier) wrote :

This is the default in Django 1.4 and was automatically enabled when we moved to Wheezy and Django 1.4.

Changed in libravatar:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.