如果django程序扫描到会话 cookie 中缺少 HttpOnly 属性问题,需要如何进行安全加强?
https://docs.djangoproject.com/en/2.2/ref/settings/#std:setting-CSRF_COOKIE_HTTPONLY
参考官方文档.
CSRF_COOKIE_HTTPONLY¶
Default: False
Whether to use HttpOnly flag on the CSRF cookie. If this is set to True, client-side JavaScript will not to be able to access the CSRF cookie.
Designating the CSRF cookie as HttpOnly doesn’t offer any practical protection because CSRF is only to protect against cross-domain attacks. If an attacker can read the cookie via JavaScript, they’re already on the same domain as far as the browser knows, so they can do anything they like anyway. (XSS is a much bigger hole than CSRF.)
Although the setting offers little practical benefit, it’s sometimes required by security auditors.
If you enable this and need to send the value of the CSRF token with an AJAX request, your JavaScript must pull the value from a hidden CSRF token form input instead of from the cookie.
See SESSION_COOKIE_HTTPONLY for details on HttpOnly.
在settings.py里,设置 CSRF_COOKIE_HTTPONLY = True即可。