Closes #11386: Introduce CSRF_COOKIE_SECURE, SECURE_SSL_REDIRECT, and SESSION_COOKIE_SECURE configuration parameters

2024-05-10 07:54:54 +00:00 · 2023-04-25 16:29:01 -04:00
parent adb9673f09
commit 99af126fac
3 changed files with 31 additions and 0 deletions
--- a/docs/configuration/security.md
+++ b/docs/configuration/security.md
@ -67,6 +67,12 @@ The name of the cookie to use for the cross-site request forgery (CSRF) authenti

 ---

+## CSRF_COOKIE_SECURE
+
+Default: False
+
+If true, the cookie employed for cross-site request forgery (CSRF) protection will be marked as secure, meaning that it can only be sent across an HTTPS connection.
+
 ---

 ## CSRF_TRUSTED_ORIGINS
@ -145,6 +151,17 @@ The view name or URL to which a user is redirected after logging out.

 ---

+## SECURE_SSL_REDIRECT
+
+Default: False
+
+If true, all non-HTTPS requests will be automatically redirected to use HTTPS.
+
+!!! warning
+    Ensure that your frontend HTTP daemon has been configured to forward the HTTP scheme correctly before enabling this option. An incorrectly configured frontend may result in a looping redirect.
+
+---
+
 ## SESSION_COOKIE_NAME

 Default: `sessionid`
@ -153,6 +170,14 @@ The name used for the session cookie. See the [Django documentation](https://doc

 ---

+## SESSION_COOKIE_SECURE
+
+Default: False
+
+If true, the cookie employed for session authentication will be marked as secure, meaning that it can only be sent across an HTTPS connection.
+
+---
+
 ## SESSION_FILE_PATH

 Default: None