Cross Site Request Forgery protection weak to packet sniffing

Your website is vulnerable because the CSRF_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your CSRF cookies on HTTP connections, allowing them to circumvent your CSRF protection.

CsrfMiddleware marks the CSRF cookie as secure when CSRF_COOKIE_SECURE = True, to make the browser only send cookie over secure HTTPS connection.

Cookies sent over insecure HTTP are unencrypted, so hackers can steal the CSRF cookie using a packet sniffer - allowing them to use it to trick the browser into thinking a request on their website was performed on your website by the logged a user.-.

If our GitHub code review bot spots this issue in your pull request it gives this advice:

django-doctorbotsuggested changes just now
settings.py
1
+
MIDDLEWARE = [
Suggested changes
+
from ast import literal_eval
+
from os import getenv
+
+
+
# feature flagged so can turn off in local development
+
CSRF_COOKIE_SECURE = literal_eval(getenv("HTTPS_ONLY", "True"))
Commit suggestion

Your website is vulnerable because the CSRF_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your CSRF cookies on HTTP connections, allowing them to circumvent your CSRF protection.

Read more
2
+
    'django.middleware.csrf.CsrfViewMiddleware',
3
+
    ...
4
+
]
Update settings.py
We're your Django code review copilot. Get code improvements right in your pull request with our GitHub code review bot.

Configuring this check

Code Review Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-csrf-secure in your pyproject.toml file.

Read more about configuring Code Review Doctor.