Secure Setting for Django SESSION_COOKIE_SECURE flag

[pixeebot]

This codemod will set Django's SESSION_COOKIE_SECURE flag to True if it's False or missing on the settings.py file within Django's default directory structure.

+ SESSION_COOKIE_SECURE = True

Setting this flag on ensures that the session cookies are only sent under an HTTPS connection. Leaving this flag off may enable an attacker to use a sniffer to capture the unencrypted session cookie and hijack the user's session.

More reading

• https://owasp.org/www-community/controls/SecureCookieAttribute
• https://docs.djangoproject.com/en/4.2/ref/settings/#session-cookie-secure
• https://cwe.mitre.org/data/definitions/614

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:python/django-session-cookie-secure-off

[pixeebot]

I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it?

If this change was not helpful, or you have suggestions for improvements, please let me know!

[pixeebot]

Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!