LucaCinquini
commented
7 years ago Done in settings.py, if the server has the production flag set. From the django documentation:
"Whether to use HttpOnly flag on the CSRF cookie. If this is set to True, client-side JavaScript will not to be able to access the CSRF cookie."
We need to make sure this doesn't break any functionality where Ajax requests are made - for example, in the data cart. If so, maybe we need to set the @csrf_exempt tag on the view.
murphysj
Who: NOAA security scan
"HTTPOnly not Set on CSRF Cookie"