From ae2ad6527a81adef5c4bf858fdd4f3865fb351be Mon Sep 17 00:00:00 2001
From: corubba <corubba@gmx.de>
Date: Fri, 27 May 2022 12:53:28 +0200
Subject: [PATCH] Set csrf cookie to httponly

The CSRF token is currently inserted directly in the template and not
in the browser via JavaScript from the cookie, so making it inaccessible
is not a problem.

The Sesson-cookie is already httponly by default [0].

[0] https://flask.palletsprojects.com/en/2.1.x/config/?highlight=session_cookie_httponly#SESSION_COOKIE_HTTPONLY
---
 configs/docker_config.py        | 1 +
 powerdnsadmin/default_config.py | 1 +
 2 files changed, 2 insertions(+)

diff --git a/configs/docker_config.py b/configs/docker_config.py
index 6666fc2..ba0a233 100644
--- a/configs/docker_config.py
+++ b/configs/docker_config.py
@@ -2,6 +2,7 @@
 BIND_ADDRESS = '0.0.0.0'
 PORT = 80
 SQLALCHEMY_DATABASE_URI = 'sqlite:////data/powerdns-admin.db'
+CSRF_COOKIE_HTTPONLY = True
 
 legal_envvars = (
     'SECRET_KEY',
diff --git a/powerdnsadmin/default_config.py b/powerdnsadmin/default_config.py
index 16b8161..8737680 100644
--- a/powerdnsadmin/default_config.py
+++ b/powerdnsadmin/default_config.py
@@ -10,6 +10,7 @@ PORT = 9191
 HSTS_ENABLED = False
 OFFLINE_MODE = False
 FILESYSTEM_SESSIONS_ENABLED = False
+CSRF_COOKIE_HTTPONLY = True
 
 ### DATABASE CONFIG
 SQLA_DB_USER = 'pda'