From 8ea68eed540971b7cc0157162cdaec4c673f2b79 Mon Sep 17 00:00:00 2001
From: "Christopher C. Wells" <git@chris-wells.net>
Date: Thu, 16 Sep 2021 18:59:25 -0700
Subject: [PATCH] Default session and CSRF cookie setting to secure

---
 babybuddy/settings/base.py | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/babybuddy/settings/base.py b/babybuddy/settings/base.py
index 96244f40c..6e9947113 100644
--- a/babybuddy/settings/base.py
+++ b/babybuddy/settings/base.py
@@ -233,6 +233,18 @@
     THUMBNAIL_DEFAULT_STORAGE = 'storages.backends.s3boto3.S3Boto3Storage'
 
 
+# Security
+# https://docs.djangoproject.com/en/3.2/topics/http/sessions/#settings
+# https://docs.djangoproject.com/en/3.2/ref/csrf/#settings
+
+# See https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header for why and when to set this
+if os.environ.get('SECURE_PROXY_SSL_HEADER'):
+    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+
+SESSION_COOKIE_SECURE = True
+CSRF_COOKIE_SECURE = True
+
+
 # Django Rest Framework
 # https://www.django-rest-framework.org/
 
@@ -291,9 +303,3 @@
     'NAP_START_MAX': os.environ.get('NAP_START_MAX') or '18:00',
     'ALLOW_UPLOADS': os.environ.get('ALLOW_UPLOADS') or True
 }
-
-# Set SECURE_PROXY_SSL_HEADER
-# See https://docs.djangoproject.com/en/3.2/ref/settings/#secure-proxy-ssl-header for why and when to set this
-
-if os.environ.get('SECURE_PROXY_SSL_HEADER'):
-    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')