Django Cookie Prefix to pass securityheaders.com - django

securityheaders.com fails my configurations with the following error:
Set-Cookie There is no Cookie Prefix on this cookie.
And this is the value of the cookie:
Set-Cookie sessionid=123456789123456789123456789; expires=Thu, 12 Sep 2019 06:51:38 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Strict; Secure
I have tried to add the cookie prefix with in settings.py:
CSRF_COOKIE_NAME = '__Secure-csrftoken'
But it seems to be a different paramater. I have search the documentation and that is all I could find, and seems to not be applicable.
securityheaders.com on cookie prefixes states that it needs to start with __Secure- or __Host-

You used the wrong setting, this is not the CSRF_COOKIE_NAME [Django-doc], but the SESSION_COOKIE_NAME [Django-doc]:
Default: 'sessionid'
The name of the cookie to use for sessions. This can be whatever you want (as long as it’s different from the other cookie names in your application).
Note that the name of the cookie it complains about is sessionid:
Set-Cookie sessionid=123456789123456789123456789; expires=Thu, 12 Sep 2019 06:51:38 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Strict; Secure
So you need to specify this as:
SESSION_COOKIE_NAME = '__Secure-sessionid'
CSRF_COOKIE_NAME = '__Secure-csrftoken'

Related

How we can add 'httpOnly' to cookies using javaScript

this is my code
const expires = '; expires=' + date.toUTCString();
document.cookie = `${item} = ${value}; ${expires}; path=/; Secure; httpOnly`;
I want to httpOnly to be checked in developer tool.
httpOnly should be checked

Is cookie with longer domain are listed before cookie with shorter domain?

Say for example I had an application sending the following HTTP headers to set to cookie named "key1":
Set-cookie: key1=111; Domain=cc.net
Set-cookie: key1=222; Domain=bb.cc.net
Set-cookie: key1=222; Domain=aa.bb.cc.net
If I access aa.bb.cc.net on the server, so I have three cookies named "key1",but How are these three cookies arranged? Is cookie with longer domain are listed before cookie with shorter domain?
What is the specification of rfc?

Is there a way to use CloudFront signed cookies in HTML

I'm trying to just get started in my understanding on how the CloudFront with signed cookies work.
I have an HTML file that is tied to my CloudFront distribution:
http://blahblahbla.cloudfront.net/lebron.jpg
If I'm reading the instructions properly I have to add something to my Bucket policy for my S3 bucket that I'm using as the origin:
{
"Statement":[
{
"Resource":"base URL or stream name",
"Condition":{
"DateLessThan":{
"AWS:EpochTime":ending date and time in Unix time format and UTC
}
}
}
]
}
After that it looks like I have to add the following to somewhere:
Set-Cookie: Domain=d111111abcdef8.cloudfront.net; Path=/images/*; Secure; HttpOnly; CloudFront-Expires=1426500000
Set-Cookie: Domain=d111111abcdef8.cloudfront.net; Path=/images/*; Secure; HttpOnly; CloudFront-Signature=yXrSIgyQoeE4FBI4eMKF6ho~CA8_
Set-Cookie: Domain=d111111abcdef8.cloudfront.net; Path=/images/*; Secure; HttpOnly; CloudFront-Key-Pair-Id=APKA9ONS7QCOWEXAMPLE
The above is from the documentation. Do I add the above in between my <head> tags or somewhere else?
I see a lot of documentation for Python and even C# but i'm just trying to do a simple test using the signed cookies with a simple HTML page. Is that even possible?
It goes without saying that, I'm still pretty far from understanding this, so any help regarding the Bucket policy and the keys issue would be appreciated.

With #csrf_exempt still have Set-Cookie: csrftoken

With Django 1.8, I do not want to have a cookie set on the homepage of my site when the users are not logged in. So I decorate my view with #csrf_exempt like
from django.views.decorators.csrf import csrf_exempt
#csrf_exempt
def mainhome(request):
When I look at the query I can see the cookie still set, why ?
rodo#roz-desktop:~/(master)$ curl -I http://127.0.0.1:8000/
HTTP/1.0 200 OK
Date: Sat, 13 Jun 2015 08:59:27 GMT
Server: WSGIServer/0.1 Python/2.7.8
Content-Type: text/html; charset=utf-8
Vary: Cookie
X-QueryInspect-Duplicate-SQL-Queries: 2
X-QueryInspect-Total-SQL-Time: 34 ms
X-QueryInspect-Total-Request-Time: 283 ms
X-QueryInspect-Num-SQL-Queries: 3
Set-Cookie: csrftoken=sa5x0DyxgBamca0D84ZZnzl2WAL0evkv; expires=Sat, 11-Jun-2016 08:59:27 GMT; Max-Age=31449600; Path=/
As #Daniel Roseman indicated, #csrf_exempt will not help you with that.
The middleware responsible for the session cookie is SessionMiddleware. You can read more about it in the Django Docs: How to use sessions. Unfortunately, there is no similar decorator in order to exempt some specific view.
So in order to customize the middleware's behaviour, you would need to inherit from SessionMiddleware. There is a nice answer on the matter on SO.
csrf_exempt controls whether or not CSRF is enforced on POST. It has nothing to do with whether or not the CSRF cookie is set; that is done by the CsrfViewMiddleware for all responses.

Cors issues with angular dart - cookies not set

I work on a app using angular.dart at the clientside and dart in the serverside.
I have write a login rest entrypoint and want to set cookies the header was in the response but the cookies are not set.
set-cookie:app-user=533c1470a2658184a7625d7d; Expires=Tue, 8 Apr 2014 9:15:47 GMT; Domain=.ballr.eu; Path=/
set-cookie:app-tokn=530fa71b615e168787a7cb5b5c589a5601065e1e3f921d4b770c784394de3a42; Expires=Tue, 8 Apr 2014 9:15:47 GMT; Domain=.ballr.eu; Path=/
I try to check my headers or my value set in cookies, but to my mind is good
headers :
request.response..statusCode=HttpStatus.OK
..headers.set(HttpHeaders.CONTENT_TYPE, 'text/plain: charset=UTF-8')
..headers.add("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, DELETE")
..headers.add("Access-Control-Allow-Headers", "origin, x-requested-with, content-type, accept")
..headers.add("Access-Control-Allow-Origin", "*");
cookies :
static setCookie(HttpRequest request, String key, String value, DateTime duration) =>
request.response.cookies.add(new Cookie(key, value)..path = '/'
..expires = duration
..domain = '.app.eu');
I follow some threads on stackoverflow and google groups and I think it's a problem of "withCredientals" a value I have set in an another projet (angular/Java) but I don't find this parameter on angular.dart.
Can you help me to find it or have you somes ideas?
Thank you for your help/time
I'm not sure if I understand you question correctly but maybe this is what you are looking for:
(on the client)
var request = new HttpRequest()
..open("POST", uri.toString(), async: true)
..withCredentials = true // seems to be necessary so that cookies are sent
EDIT
I missed that this is about Angular. This needs a slightly different approach.
If you use the Angular http service you have a parameter
class MyController {
Http _http;
MyController(this._http) {
_http.getString('someurl', withCredentials: true).then((e) => ...);
// or _http.request('someurl', method: 'POST', withCredentials: true).then((e) => ...);
}
}