mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2024-11-09 15:10:27 +00:00
Set csrf cookie to httponly
The CSRF token is currently inserted directly in the template and not in the browser via JavaScript from the cookie, so making it inaccessible is not a problem. The Sesson-cookie is already httponly by default [0]. [0] https://flask.palletsprojects.com/en/2.1.x/config/?highlight=session_cookie_httponly#SESSION_COOKIE_HTTPONLY
This commit is contained in:
parent
3e462dab17
commit
ae2ad6527a
@ -2,6 +2,7 @@
|
||||
BIND_ADDRESS = '0.0.0.0'
|
||||
PORT = 80
|
||||
SQLALCHEMY_DATABASE_URI = 'sqlite:////data/powerdns-admin.db'
|
||||
CSRF_COOKIE_HTTPONLY = True
|
||||
|
||||
legal_envvars = (
|
||||
'SECRET_KEY',
|
||||
|
@ -10,6 +10,7 @@ PORT = 9191
|
||||
HSTS_ENABLED = False
|
||||
OFFLINE_MODE = False
|
||||
FILESYSTEM_SESSIONS_ENABLED = False
|
||||
CSRF_COOKIE_HTTPONLY = True
|
||||
|
||||
### DATABASE CONFIG
|
||||
SQLA_DB_USER = 'pda'
|
||||
|
Loading…
Reference in New Issue
Block a user