|Requires Scanning Tool
|Merge After Cursory Review
This codemod will set django's
SESSION_COOKIE_SECURE flag to
True if it's
False or missing on the
settings.py file within django's default directory structure.
+ SESSION_COOKIE_SECURE = True
Setting this flag on ensures that the session cookies are only sent under an HTTPS connection. Leaving this flag off may enable an attacker to use a sniffer to capture the unencrypted session cookie and hijack the user's session.
If you have feedback on this codemod, please let us know!
Why is this codemod marked as Merge After Cursory Review?
SESSION_COOKIE_SECURE flag may be overridden somewhere else or the runtime settings file may be set with the
DJANGO_SETTINGS_MODULE environment variable. This means that the flag may intentionally be left off or missing. Also some applications may still want to support pure http. This is often the case for legacy apps.