Set csrf cookie to httponly

The CSRF token is currently inserted directly in the template and not in the browser via JavaScript from the cookie, so making it inaccessible is not a problem. The Sesson-cookie is already httponly by default [0]. [0] https://flask.palletsprojects.com/en/2.1.x/config/?highlight=session_cookie_httponly#SESSION_COOKIE_HTTPONLY
2024-11-08 14:40:27 +00:00 · 2022-05-27 12:53:28 +02:00 · 2022-05-27 12:53:28 +02:00 · ae2ad6527a
commit ae2ad6527a
parent 3e462dab17
2 changed files with 2 additions and 0 deletions
--- a/configs/docker_config.py
+++ b/configs/docker_config.py
@ -2,6 +2,7 @@
 BIND_ADDRESS = '0.0.0.0'
 PORT = 80
 SQLALCHEMY_DATABASE_URI = 'sqlite:////data/powerdns-admin.db'
+CSRF_COOKIE_HTTPONLY = True

 legal_envvars = (
    'SECRET_KEY',
--- a/powerdnsadmin/default_config.py
+++ b/powerdnsadmin/default_config.py
@ -10,6 +10,7 @@ PORT = 9191
 HSTS_ENABLED = False
 OFFLINE_MODE = False
 FILESYSTEM_SESSIONS_ENABLED = False
+CSRF_COOKIE_HTTPONLY = True

 ### DATABASE CONFIG
 SQLA_DB_USER = 'pda'