Use secure and httponly csrf cookie #284
Conversation
piccolo_api/csrf/middleware.py
Outdated
| @@ -120,6 +120,8 @@ async def dispatch( | |||
| self.cookie_name, | |||
| token, | |||
| max_age=self.max_age, | |||
| httponly=True, | |||
There was a problem hiding this comment.
With CSRF cookies, when the front end code makes AJAX requests, it has to read the value from the CSRF cookie and submit it as a HTTP header. So we can't use httponly unfortunately.
https://piccolo-api.readthedocs.io/en/latest/csrf/usage.html#reading-from-the-cookie
piccolo_api/csrf/middleware.py
Outdated
| @@ -120,6 +120,8 @@ async def dispatch( | |||
| self.cookie_name, | |||
| token, | |||
| max_age=self.max_age, | |||
| httponly=True, | |||
| secure=True, | |||
There was a problem hiding this comment.
The only reason this was currently set to False is because when using Piccolo Admin locally, most people wouldn't run it under HTTPS so it would stop working. I think a good compromise would be to have this configurable. For example, we have a production argument with Session auth:
There was a problem hiding this comment.
Hmm, this needs to be updated in piccolo admin as well, right?
There was a problem hiding this comment.
Yeah, that's right. We would pass production in here: https://github.com/piccolo-orm/piccolo_admin/blob/5e8e96d56656cbf7283b63f8729d0748eb895867/piccolo_admin/endpoints.py#L439
|
@dantownsend Is this alright now? |
No description provided.