Skip to content
unfault

python.django.session_settings

Security High

Detects insecure Django session configuration.

Why It Matters

Section titled “Why It Matters”

Insecure sessions:

  • Session hijacking — Cookies sent over HTTP
  • XSS attacks — JavaScript can steal session
  • Persistent compromise — Sessions never expire

Example

Section titled “Example”
# ❌ Before (insecure defaults)
SESSION_COOKIE_SECURE = False
SESSION_COOKIE_HTTPONLY = False
SESSION_COOKIE_AGE = 1209600 * 10  # 140 days!
# ✅ After (secure settings)
SESSION_COOKIE_SECURE = True  # HTTPS only
SESSION_COOKIE_HTTPONLY = True  # No JS access
SESSION_COOKIE_SAMESITE = 'Lax'  # CSRF protection
SESSION_COOKIE_AGE = 86400  # 1 day
SESSION_EXPIRE_AT_BROWSER_CLOSE = True

What Unfault Detects

Section titled “What Unfault Detects”
  • SESSION_COOKIE_SECURE = False
  • SESSION_COOKIE_HTTPONLY = False
  • Very long session ages
Section titled “Related Rules”