Cookies¶
Session cookies should be set to HTTPONLY:
SESSION_COOKIE_HTTPONLY = True
Never configure CSRF or session cookies to have a wild card domain with a leading dot. Horizon’s session and CSRF cookie should be secured when deployed with HTTPS:
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.