Settings example: CSRF_COOKIE_HTTPONLY is disabled
The Django documentation says:
Whether to use HttpOnly flag on the session cookie. If this is set to True, client-side JavaScript will not be able to access the session cookie.
[..]
There aren’t many good reasons for turning this off. Your code shouldn’t read session cookies from JavaScript.
Currently this Django setting (defaulting to True
) is overwritten (to False
) in our example production configuration (grouprise/settings.py.production
) and on multiple instances (e.g. gestadten.org
and stadtgestalten.org
).
The Django documentation indicates, that this may not be a wise choice.
How can we find out, whether CSRF_COOKIE_HTTPONLY = False
is really relevant for grouprise?