Set csrf cookie to httponly

The CSRF token is currently inserted directly in the template and not
in the browser via JavaScript from the cookie, so making it inaccessible
is not a problem.

The Sesson-cookie is already httponly by default [0].

[0] https://flask.palletsprojects.com/en/2.1.x/config/?highlight=session_cookie_httponly#SESSION_COOKIE_HTTPONLY
This commit is contained in:
corubba 2022-05-27 12:53:28 +02:00
parent 3e462dab17
commit ae2ad6527a
2 changed files with 2 additions and 0 deletions

View File

@ -2,6 +2,7 @@
BIND_ADDRESS = '0.0.0.0' BIND_ADDRESS = '0.0.0.0'
PORT = 80 PORT = 80
SQLALCHEMY_DATABASE_URI = 'sqlite:////data/powerdns-admin.db' SQLALCHEMY_DATABASE_URI = 'sqlite:////data/powerdns-admin.db'
CSRF_COOKIE_HTTPONLY = True
legal_envvars = ( legal_envvars = (
'SECRET_KEY', 'SECRET_KEY',

View File

@ -10,6 +10,7 @@ PORT = 9191
HSTS_ENABLED = False HSTS_ENABLED = False
OFFLINE_MODE = False OFFLINE_MODE = False
FILESYSTEM_SESSIONS_ENABLED = False FILESYSTEM_SESSIONS_ENABLED = False
CSRF_COOKIE_HTTPONLY = True
### DATABASE CONFIG ### DATABASE CONFIG
SQLA_DB_USER = 'pda' SQLA_DB_USER = 'pda'