CSRF_COOKIE_SECURE and SESSION_COOKIE_SECURE to True when terminating SSL on load balancer

[pjotr]

Hi,

I use HAProxy as load balancer, where I also terminate the SSL. The traffic between HAProxy and the is unencrypted. I have force SSL enabled, so all requests with http will be redirected to https.

Question is, does it serve any good to have CSRF_COOKIE_SECURE and SESSION_COOKIE_SECURE set to True in settings? It doesn't make sense for me, but there might be some other reasons for using that!?

/Peter

[Camilo Torres]

Hi.

As you are currently using HTTPS, setting these to true make sense.

These settings are used by the browser to ensure encripted cookies. It does not matter if you are using haproxy with ssl termination.

Camilo Torres.