Skip to content

Enable HttpOnly flag for the CSRF cookie #20222

New issue
New issue
Closed
Feature
#20262
Closed
Enable HttpOnly flag for the CSRF cookie#20222
Feature
#20262
Assignees
jetomit
Labels
complexity: lowRequires minimal effort to implementstatus: acceptedThis issue has been accepted for implementationtype: featureIntroduction of new functionality to the application
Milestone
v4.4.1
@jetomit

Description

@jetomit
jetomit
opened on Sep 2, 2025

NetBox version

v4.2.9

Feature type

Other

Proposed functionality

Enable the Django setting CSRF_COOKIE_HTTPONLY.

If there are any plugins that access the CSRF cookie from JS code instead of using the window.CSRF_TOKEN property (see #10205), they might break. So alternatively make the setting configurable by adding to settings.py:

CSRF_COOKIE_HTTPONLY = getattr(configuration, 'CSRF_COOKIE_HTTPONLY', False)

I have tested CSRF_COOKIE_HTTPONLY = True in our environment according to steps described in #9963 and found no issues. I’ll be happy to submit a pull request if this proposal is accepted. Thanks!

Use case

Mainly to appease our auditors. The security benefit is marginal, but there should be no downside (except as described above if the setting is enabled unconditionally).

Database changes

None.

External dependencies

None.

Metadata

Metadata

Assignees

Labels

complexity: lowRequires minimal effort to implementstatus: acceptedThis issue has been accepted for implementationtype: featureIntroduction of new functionality to the application

Type

Feature

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions