From c8d48945f28df9b7d1f9638d4fe03c426a8b7d08 Mon Sep 17 00:00:00 2001
From: "Christopher C. Wells" <git@chris-wells.net>
Date: Thu, 16 Sep 2021 19:37:04 -0700
Subject: [PATCH] Set `HttpOnly` flag on cookies

---
 babybuddy/settings/base.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/babybuddy/settings/base.py b/babybuddy/settings/base.py
index 5ba95fba1..3a6ddc8b2 100644
--- a/babybuddy/settings/base.py
+++ b/babybuddy/settings/base.py
@@ -240,9 +240,11 @@
     SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 
 # https://docs.djangoproject.com/en/3.2/topics/http/sessions/#settings
+SESSION_COOKIE_HTTPONLY = True
 SESSION_COOKIE_SECURE = True
 
 # https://docs.djangoproject.com/en/3.2/ref/csrf/#settings
+CSRF_COOKIE_HTTPONLY = True
 CSRF_COOKIE_SECURE = True
 
 # https://docs.djangoproject.com/en/3.2/topics/auth/passwords/