Session cookie is vulnerable to XSS attack
Your website is vulnerable because the SESSION_COOKIE_HTTPONLY setting is not set - so hackers have an easier time stealing your users' session cookies using an XSS attack.
SessionMiddleware marks the session cookie as httpOnly when SESSION_COOKIE_HTTPONLY = True, so cookie cannot be read with nefarious JavaScript in the browser.
If a bad actor successfully ran nefarious JavaScript on your website using an XSS attack then they could steal the user session cookie and authenticate as that user.
If our GitHub code review bot spots this issue in your pull request it gives this advice:
django-doctorbot just now1 | + | SESSION_COOKIE_HTTPONLY = False |
Your website is vulnerable because the SESSION_COOKIE_HTTPONLY setting is not set - so hackers have an easier time stealing your users' session cookies using an XSS attack.
- | SESSION_COOKIE_HTTPONLY = False |
+ | from ast import literal_eval |
+ | from os import getenv |
+ | |
+ | # feature flagged so can turn off in local development |
+ | SESSION_COOKIE_HTTPONLY = literal_eval(getenv("HTTPS_ONLY", "True")) |
UpdateInstantly check if you have this issue for free
Works with tools you use
- Detect typos
- Avoid mistakes
- Prevent bugs
- Improve tests
- Read more
- Review PRs
- One click fix
- Clear advice
- Delta aware
- Read more
- Review PRs
- Fix suggested
- Clear advice
- Delta aware
- Read more