Session cookie is vulnerable to packet sniffing attack
Your website is vulnerable because the SESSION_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your users' session cookies on HTTP connections.
SessionMiddleware marks the session cookie as secure when SESSION_COOKIE_SECURE = True, to make the browser only send cookie over secure HTTPS connection.
Cookies sent over insecure HTTP are unencrypted, so hackers can steal the session cookie using a packet sniffer - allowing them to effectively copy and paste it into their browser and be logged in as the user.
If our GitHub code review bot spots this issue in your pull request it gives this advice:
django-doctorbot just now1 | + | SESSION_COOKIE_SECURE = False |
Your website is vulnerable because the SESSION_COOKIE_SECURE setting is not set - so hackers have an easier time stealing your users' session cookies on HTTP connections.
- | SESSION_COOKIE_SECURE = False |
+ | from ast import literal_eval |
+ | from os import getenv |
+ | |
+ | # feature flagged so can turn off in local development |
+ | SESSION_COOKIE_SECURE = literal_eval(getenv("HTTPS_ONLY", "True")) |
Update settings.pyInstantly check if you have this issue for free
Works with tools you use
- Detect typos
- Avoid mistakes
- Prevent bugs
- Improve tests
- Read more
- Review PRs
- One click fix
- Clear advice
- Delta aware
- Read more
- Review PRs
- Fix suggested
- Clear advice
- Delta aware
- Read more