From ab10d3c72109ae683387a6c08889d23df9286ddb Mon Sep 17 00:00:00 2001 From: astra-x Date: Thu, 16 May 2024 11:53:37 +0530 Subject: [PATCH 1/2] use secure and httponly csrf cookie --- piccolo_api/csrf/middleware.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/piccolo_api/csrf/middleware.py b/piccolo_api/csrf/middleware.py index 2ac62eed..884f1319 100644 --- a/piccolo_api/csrf/middleware.py +++ b/piccolo_api/csrf/middleware.py @@ -120,6 +120,8 @@ async def dispatch( self.cookie_name, token, max_age=self.max_age, + httponly=True, + secure=True, ) return response else: From 6cdf3a558da0f5c929d0b097fba0a66c569363a9 Mon Sep 17 00:00:00 2001 From: AmazingAkai Date: Fri, 17 May 2024 20:16:25 +0530 Subject: [PATCH 2/2] add procution param for secure csrf cookie --- piccolo_api/csrf/middleware.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/piccolo_api/csrf/middleware.py b/piccolo_api/csrf/middleware.py index 884f1319..8e1db0a9 100644 --- a/piccolo_api/csrf/middleware.py +++ b/piccolo_api/csrf/middleware.py @@ -46,6 +46,7 @@ def __init__( cookie_name: str = DEFAULT_COOKIE_NAME, header_name: str = DEFAULT_HEADER_NAME, max_age: int = ONE_YEAR, + production: bool = False, allow_header_param: bool = True, allow_form_param: bool = False, **kwargs, @@ -65,6 +66,8 @@ def __init__( different HTTP header. :param max_age: The max age of the cookie, in seconds. + :param production: + Whether the CSRF cookie should be secure. :param allow_header_param: Whether to look for the CSRF token in the HTTP headers. :param allow_form_param: @@ -81,6 +84,7 @@ def __init__( self.cookie_name = cookie_name self.header_name = header_name self.max_age = max_age + self.production = production self.allow_header_param = allow_header_param self.allow_form_param = allow_form_param super().__init__(app, **kwargs) @@ -120,8 +124,7 @@ async def dispatch( self.cookie_name, token, max_age=self.max_age, - httponly=True, - secure=True, + secure=self.production, ) return response else: