starred/modoboa-modoboa
1
0
Fork 0
mirror of https://github.com/modoboa/modoboa.git synced 2026-04-25 00:46:03 +03:00
Code Issues 60 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #3298] CSRF Login Token Cookie should set HTTPOnly Flag #1827

New issue
Open
opened 2026-02-27 11:19:20 +03:00 by kerem · 1 comment
kerem commented 2026-02-27 11:19:20 +03:00
Owner
Copy link

Originally created by @rufinus on GitHub (Aug 6, 2024).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/3298

Impacted versions

  • OS Type: Debian/Ubuntu
  • OS Version: 24.04
  • Modoboa: 2.2.4
  • installer used: Yes
  • Webserver: Nginx

Steps to reproduce

Watch Header on LoginScreen

Current behavior

Set-Cookie:
csrftoken=ZTjoHY2tN34az3p31CeaX49zSTbgZtZ6; expires=Tue, 05 Aug 2025 10:21:00 GMT; Max-Age=31449600; Path=/; SameSite=Lax; Secure

Expected behavior

Set-Cookie:
csrftoken=ZTjoHY2tN34az3p31CeaX49zSTbgZtZ6; expires=Tue, 05 Aug 2025 10:21:00 GMT; Max-Age=31449600; Path=/; SameSite=Lax; HTTPOnly; Secure

Originally created by @rufinus on GitHub (Aug 6, 2024). Original GitHub issue: https://github.com/modoboa/modoboa/issues/3298 # Impacted versions * OS Type: Debian/Ubuntu * OS Version: 24.04 * Modoboa: 2.2.4 * installer used: Yes * Webserver: Nginx # Steps to reproduce Watch Header on LoginScreen # Current behavior Set-Cookie: csrftoken=ZTjoHY2tN34az3p31CeaX49zSTbgZtZ6; expires=Tue, 05 Aug 2025 10:21:00 GMT; Max-Age=31449600; Path=/; SameSite=Lax; Secure # Expected behavior Set-Cookie: csrftoken=ZTjoHY2tN34az3p31CeaX49zSTbgZtZ6; expires=Tue, 05 Aug 2025 10:21:00 GMT; Max-Age=31449600; Path=/; SameSite=Lax; HTTPOnly; Secure
kerem commented 2026-02-27 11:19:21 +03:00
Author
Owner
Copy link

@Spitfireap commented on GitHub (Aug 12, 2024):

Hi,
According to django you can set it if you want, but the django team is not convinced that it increases security

<!-- gh-comment-id:2283432711 --> @Spitfireap commented on GitHub (Aug 12, 2024): Hi, According to django [you can set it](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-cookie-httponly) if you want, but the django team is not convinced that it increases security
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix/sievefilters-allow-email-in-rule-name
dependabot/npm_and_yarn/frontend/axios-1.15.0
translations_04c0b653215cb5fa48ab101eae1a1917_ja_JP
translations_5d93982e9fd6dab991db4faf93ce9ded_ja_JP
fix/login-issue-3995
fix/sievefilters-issues
add-vitepress-openapi
2974-dmarc-empty-email
2.3.x
updated-doc-2.3.0
feature/OIDC
delete-all-alarms
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_af_ZA
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ar
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ca
1.x
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_sk
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_tr
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_es_ES
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_uk
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_zh_CN
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_de_DE
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_da_DK
1.8.x
1.7.x
1.6.x
1.4.x
1.3.x
1.2.x
2.8.2
2.8.1
2.8.0
2.7.2
2.7.1
2.7.0
2.6.5
2.6.4
2.6.3
2.6.2
2.6.1
2.6.0
2.5.1
2.5.0
2.4.11
2.4.10
2.4.9
2.4.8
2.4.7
2.4.6
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.6
2.3.5
2.3.4
2.3.3
2.3.2
2.3.1
2.3.0
2.3.0-beta.4
2.3.0-beta.3
2.3.0-beta.2
2.3.0-beta.1
2.2.4
2.2.3
2.2.2
2.2.1
2.2.0
2.1.2
2.1.1
2.1.0
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
2.0.0-beta.3
2.0.0-beta.2
2.0.0-beta.1
1.17.0
1.16.1
1.16.0
1.15.0
1.14.0
1.13.1
1.13.0
1.12.2
1.12.1
1.12.0
1.11.1
1.11.0
1.10.7
1.10.6
1.10.5
1.10.4
1.10.3
1.10.2
1.10.1
1.10.0
1.9.1
1.9.0
1.8.3
1.8.2
1.8.1
1.8.0
1.7.4
1.7.3
1.7.2
1.7.1
1.7.0
1.6.3
1.6.2
1.6.1
1.6.0
1.5.3
1.5.2
1.5.1
1.5.0
1.4.5
1.4.4
1.4.3
1.4.2
1.4.1
1.4.0
1.3.5
1.3.4
1.2.2
1.3.3
1.3.2
1.3.1
1.3.0
1.2.1
1.2.0
1.2.0-rc2
1.2.0-rc1
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.1
1.0.0
0.9.5
0.9.4
0.9.3
0.9.2
0.9.1
0.9
0.8.8
0.8.7
0.8.6.1
0.8.6
0.8.5
0.8.4
0.8.3
0.8.3-rc1
0.8.2
0.8.1
0.8
0.8-rc2
0.8-rc1
0.7.2
0.7.1
0.7
0.6.1
0.6
0.5
0.3
0.2
0.1
Labels
Clear labels   
bug

   
bug

   
dependencies

   
design

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
feedback-needed

   
help-needed

   
help-needed

   
installer

   
invalid

   
looking-for-sponsors

   
modoboa-contacts

   
new-ui

   
new-ui

   
pr

   
pull-request

Mirrored from GitHub Pull Request

  
pyconfr

   
python

   
question

   
security

   
stale

   
webmail

   
wontfix
No labels
bug
bug
dependencies
design
documentation
duplicate
enhancement
enhancement
enhancement
feedback-needed
help-needed
help-needed
installer
invalid
looking-for-sponsors
modoboa-contacts
new-ui
new-ui
pr
pull-request
pyconfr
python
question
security
stale
webmail
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/modoboa-modoboa#1827
No description provided.