Secure Setting for Django SESSION_COOKIE_SECURE flag

[pixeebot]

This codemod will set Django's SESSION_COOKIE_SECURE flag to True if it's False or missing on the settings.py file within Django's default directory structure.

+ SESSION_COOKIE_SECURE = True

Setting this flag on ensures that the session cookies are only sent under an HTTPS connection. Leaving this flag off may enable an attacker to use a sniffer to capture the unencrypted session cookie and hijack the user's session.

More reading

• https://owasp.org/www-community/controls/SecureCookieAttribute
• https://docs.djangoproject.com/en/4.2/ref/settings/#session-cookie-secure
• https://cwe.mitre.org/data/definitions/614

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:python/django-session-cookie-secure-off

[pixeebot]

I'm confident in this change, and the CI checks pass, too!

If you see any reason not to merge this, or you have suggestions for improvements, please let me know!

[pixeebot]

Just a friendly ping to remind you about this change. If there are concerns about it, we'd love to hear about them!

[pixeebot]

This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know!

You can also customize me to make sure I'm working with you in the way you want.