Session cookie is vulnerable to XSS attack

Your website is vulnerable because the SESSION_COOKIE_HTTPONLY setting is not set - so hackers have an easier time stealing your users' session cookies using an XSS attack.

SessionMiddleware marks the session cookie as httpOnly when SESSION_COOKIE_HTTPONLY = True, so cookie cannot be read with nefarious JavaScript in the browser.

If a bad actor successfully ran nefarious JavaScript on your website using an XSS attack then they could steal the user session cookie and authenticate as that user.

So in practice, do this


import os

MIDDLEWARE = [
    'django.contrib.sessions.middleware.SessionMiddleware',
    ...
]
# not need to set SESSION_COOKIE_HTTPONLY as it's True by default

Instead of this


MIDDLEWARE = [
    'django.contrib.sessions.middleware.SessionMiddleware',
    ...
]
SESSION_COOKIE_HTTPONLY = False

Are you affected by this? Audit your codebase in seconds to find out.

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-session-cookie-http-only in your pyproject.toml file.

Read more about configuring Django Doctor.