Why are *_COOKIE_SECURE settings defaulted to False?

I’m reading through Two Scoops of Django with a colleague and we reached the Security Best Practices section. In that section it mentions setting cookie security flags in the settings to True, like so:

SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

I had never heard of this setting so I looked it up in the Django docs and docs say:
https://docs.djangoproject.com/en/3.0/ref/settings/#std:setting-SESSION_COOKIE_SECURE
“Leaving this setting off isn’t a good idea because an attacker could capture an unencrypted session cookie with a packet sniffer and use the cookie to hijack the user’s session.”

If this is a dangerous setting to leave on False, why isn’t it defaulted to True in the settings? I’m sure there’s a good reason. Before I change a Django default I’d like to learn a little more about why it was set to False initially.

This is because Django still supports HTTP only out of the box - especially for runserver, which it’s hard to move to HTTPS. We could do better for example if SECURE_SSL_REDIRECT is True or HSTS is enabled, we could default to secure cookies. Can you open a ticket?

(I’m a fan of increasing django’s default security, as per my blog post on security headers and recent changes to defaults for security headers)

1 Like

Thank you for the quick reply and the explanation.

I wrote a ticket here https://code.djangoproject.com/ticket/31260
I think I captured this conversation properly, but if you’d like me to tweak it, let me know.

I read through the SSL and HSTS Django settings and learned a thing or two. Thanks again for the reply.