How do I set HttpOnly cookie in Django?

How do I set HttpOnly cookie in Django?

And is it worth the effort 开发者_如何学运维to prevent XSS?

Use

SESSION_COOKIE_HTTPONLY = True

in settings.py

In Django 3.0 you can set the following cookies to True in your settings.py:

• LANGUAGE_COOKIE_HTTPONLY
• SESSION_COOKIE_HTTPONLY
• CSRF_COOKIE_HTTPONLY

For instances, if

SESSION_COOKIE_HTTPONLY = True

Then your client-side JavaScript will not be able to access the session cookie.

SESSION_COOKIE_PATH = '/;HttpOnly'

A discussion can be found here: http://groups.google.com/group/django-users/browse_thread/thread/bd7f562d5b938054/a229073ae836f4d2?lnk=raot&pli=1