Updating cookies settings

f20f8959 · Edward Zarecor · e0d · 31ca2a63 · f20f8959 · f20f8959
Commit f20f8959 authored Mar 29, 2016 by Edward Zarecor Committed by e0d Apr 08, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 1 deletions

lms/envs/aws.py
+6 -0

lms/envs/common.py
+3 -1

No files found.
--- a/lms/envs/aws.py
+++ b/lms/envs/aws.py
@@ -349,6 +349,12 @@ FOOTER_BROWSER_CACHE_MAX_AGE = ENV_TOKENS.get('FOOTER_BROWSER_CACHE_MAX_AGE', FO
 NOTIFICATION_EMAIL_CSS = ENV_TOKENS.get('NOTIFICATION_EMAIL_CSS', NOTIFICATION_EMAIL_CSS)
 NOTIFICATION_EMAIL_EDX_LOGO = ENV_TOKENS.get('NOTIFICATION_EMAIL_EDX_LOGO', NOTIFICATION_EMAIL_EDX_LOGO)
+# Determines whether the CSRF toke can be transported on
+# unencrypted channels. It is set to False here for backward compatibility,
+# but it is highly recommended that this is True for enviroments accessed
+# by end users.
+CSRF_COOKIE_SECURE = ENV_TOKENS.get('CSRF_COOKIE_SECURE', False)
 ############# CORS headers for cross-domain requests #################
 if FEATURES.get('ENABLE_CORS_HEADERS') or FEATURES.get('ENABLE_CROSS_DOMAIN_CSRF_COOKIE'):

--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -2022,7 +2022,9 @@ MIGRATION_MODULES = {
 # Forwards-compatibility with Django 1.7
 CSRF_COOKIE_AGE = 60 * 60 * 24 * 7 * 52
+# It is highly recommended that you override this any enviroment accessed by
+# end users
+CSRF_COOKIE_SECURE = False
 ######################### Django Rest Framework ########################