[GH-ISSUE #3298] CSRF Login Token Cookie should set HTTPOnly Flag #1827

Open
opened 2026-02-27 11:19:20 +03:00 by kerem · 1 comment
Owner

Originally created by @rufinus on GitHub (Aug 6, 2024).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/3298

Impacted versions

  • OS Type: Debian/Ubuntu
  • OS Version: 24.04
  • Modoboa: 2.2.4
  • installer used: Yes
  • Webserver: Nginx

Steps to reproduce

Watch Header on LoginScreen

Current behavior

Set-Cookie:
csrftoken=ZTjoHY2tN34az3p31CeaX49zSTbgZtZ6; expires=Tue, 05 Aug 2025 10:21:00 GMT; Max-Age=31449600; Path=/; SameSite=Lax; Secure

Expected behavior

Set-Cookie:
csrftoken=ZTjoHY2tN34az3p31CeaX49zSTbgZtZ6; expires=Tue, 05 Aug 2025 10:21:00 GMT; Max-Age=31449600; Path=/; SameSite=Lax; HTTPOnly; Secure

Originally created by @rufinus on GitHub (Aug 6, 2024). Original GitHub issue: https://github.com/modoboa/modoboa/issues/3298 # Impacted versions * OS Type: Debian/Ubuntu * OS Version: 24.04 * Modoboa: 2.2.4 * installer used: Yes * Webserver: Nginx # Steps to reproduce Watch Header on LoginScreen # Current behavior Set-Cookie: csrftoken=ZTjoHY2tN34az3p31CeaX49zSTbgZtZ6; expires=Tue, 05 Aug 2025 10:21:00 GMT; Max-Age=31449600; Path=/; SameSite=Lax; Secure # Expected behavior Set-Cookie: csrftoken=ZTjoHY2tN34az3p31CeaX49zSTbgZtZ6; expires=Tue, 05 Aug 2025 10:21:00 GMT; Max-Age=31449600; Path=/; SameSite=Lax; HTTPOnly; Secure
Author
Owner

@Spitfireap commented on GitHub (Aug 12, 2024):

Hi,
According to django you can set it if you want, but the django team is not convinced that it increases security

<!-- gh-comment-id:2283432711 --> @Spitfireap commented on GitHub (Aug 12, 2024): Hi, According to django [you can set it](https://docs.djangoproject.com/en/5.0/ref/settings/#csrf-cookie-httponly) if you want, but the django team is not convinced that it increases security
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/modoboa-modoboa#1827
No description provided.