Bird
Raised Fist0
Djangoframework~20 mins

HTTPS and secure cookies in Django - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
HTTPS and Secure Cookies Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
What does setting SECURE_SSL_REDIRECT = True do in Django?
In a Django project, what is the effect of setting SECURE_SSL_REDIRECT = True in your settings.py file?
AIt forces all HTTP requests to be redirected to HTTPS.
BIt disables HTTPS and allows only HTTP connections.
CIt encrypts cookies automatically without any other settings.
DIt enables debug mode for SSL connections.
Attempts:
2 left
💡 Hint
Think about what happens when a user tries to access your site with HTTP.
component_behavior
intermediate
2:00remaining
What happens if SESSION_COOKIE_SECURE is set to True?
In Django, if you set SESSION_COOKIE_SECURE = True, what is the behavior of the session cookie?
AThe session cookie is sent over both HTTP and HTTPS.
BThe session cookie is only sent over HTTPS connections.
CThe session cookie is disabled completely.
DThe session cookie is encrypted with a custom key.
Attempts:
2 left
💡 Hint
Consider when cookies are sent by browsers based on security flags.
📝 Syntax
advanced
2:00remaining
Identify the correct way to set a secure cookie in a Django view
Which of the following Django view code snippets correctly sets a secure cookie named 'token' with value 'abc123'?
Aresponse.set_cookie('token', 'abc123', httpOnly=True)
Bresponse.set_cookie('token', 'abc123', secure=False, httponly=True)
Cresponse.set_cookie('token', 'abc123', secure=True, httponly=True)
Dresponse.set_cookie('token', 'abc123', secure=True, http_only=True)
Attempts:
2 left
💡 Hint
Check the exact parameter names for set_cookie method.
🔧 Debug
advanced
2:00remaining
Why is the secure cookie not sent over HTTPS?
A developer sets SESSION_COOKIE_SECURE = True in Django settings but notices the session cookie is not sent in HTTPS requests. What is the most likely cause?
AThe SESSION_COOKIE_SECURE setting must be set to False to send cookies.
BThe cookie name is incorrect in the settings.
CThe browser does not support secure cookies.
DThe site is accessed via HTTP, not HTTPS, so the cookie is not sent.
Attempts:
2 left
💡 Hint
Think about when secure cookies are sent by browsers.
state_output
expert
2:00remaining
What is the value of CSRF_COOKIE_SECURE after this settings change?
Given the following Django settings snippet, what is the value of CSRF_COOKIE_SECURE after execution? 
CSRF_COOKIE_SECURE = False
if DEBUG is False:
    CSRF_COOKIE_SECURE = True
else:
    CSRF_COOKIE_SECURE = False

DEBUG = False
Django
DEBUG = False
CSRF_COOKIE_SECURE = False
if DEBUG is False:
    CSRF_COOKIE_SECURE = True
else:
    CSRF_COOKIE_SECURE = False
ARaises NameError
BTrue
CFalse
DNone
Attempts:
2 left
💡 Hint
Check the order of variable assignments and usage.

Practice

(1/5)
1. What is the main purpose of setting SESSION_COOKIE_SECURE = True in Django settings?
easy
A. To allow cookies on both HTTP and HTTPS
B. To make cookies accessible to JavaScript
C. To disable cookies entirely
D. To ensure cookies are only sent over HTTPS connections

Solution

  1. Step 1: Understand what SESSION_COOKIE_SECURE does

    This setting tells Django to only send session cookies over HTTPS connections, preventing them from being sent over insecure HTTP.

  2. Step 2: Analyze the options

    To ensure cookies are only sent over HTTPS connections correctly describes this behavior. The other options do not match the purpose of this setting.

  3. Final Answer:

    To ensure cookies are only sent over HTTPS connections -> Option D

  4. Quick Check:

    SESSION_COOKIE_SECURE = True means HTTPS only [OK]
Hint: Secure cookies only send on HTTPS connections [OK]
Common Mistakes:
  • Thinking it makes cookies accessible to JavaScript
  • Believing it disables cookies
  • Assuming it allows cookies on HTTP
2. Which of the following is the correct way to enable HTTPS redirection in Django settings?
easy
A. SECURE_SSL_REDIRECT = False
B. SECURE_SSL_REDIRECT = True
C. SESSION_COOKIE_SECURE = False
D. CSRF_COOKIE_SECURE = False

Solution

  1. Step 1: Identify the setting for HTTPS redirection

    The setting SECURE_SSL_REDIRECT controls whether Django redirects HTTP requests to HTTPS.

  2. Step 2: Choose the correct value to enable redirection

    Setting SECURE_SSL_REDIRECT = True enables automatic redirection to HTTPS. The other options either disable security or relate to cookies.

  3. Final Answer:

    SECURE_SSL_REDIRECT = True -> Option B

  4. Quick Check:

    Enable HTTPS redirect with SECURE_SSL_REDIRECT = True [OK]
Hint: Set SECURE_SSL_REDIRECT to True to force HTTPS [OK]
Common Mistakes:
  • Setting SECURE_SSL_REDIRECT to False disables HTTPS redirect
  • Confusing cookie settings with HTTPS redirect
  • Not enabling HTTPS redirect at all
3. Given the following Django settings snippet, what will happen when a user accesses the site over HTTP?
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
medium
A. The user will be redirected to the HTTPS version of the site
B. The session cookie will be sent over HTTP
C. CSRF protection will be disabled
D. The site will allow HTTP access without redirection

Solution

  1. Step 1: Understand SECURE_SSL_REDIRECT = True

    This setting forces Django to redirect all HTTP requests to HTTPS automatically.

  2. Step 2: Analyze cookie settings

    Both SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE ensure cookies are only sent over HTTPS, but the redirect happens first.

  3. Final Answer:

    The user will be redirected to the HTTPS version of the site -> Option A

  4. Quick Check:

    SECURE_SSL_REDIRECT = True causes HTTPS redirect [OK]
Hint: HTTPS redirect happens before cookies are sent [OK]
Common Mistakes:
  • Thinking cookies are sent over HTTP despite redirect
  • Assuming CSRF protection is disabled
  • Believing HTTP access is allowed without redirect
4. You set SESSION_COOKIE_SECURE = True but notice session cookies are still sent over HTTP. What is the most likely cause?
medium
A. The site is not using HTTPS, so cookies are sent anyway
B. The browser does not support secure cookies
C. You forgot to set SECURE_SSL_REDIRECT = True
D. You need to set CSRF_COOKIE_SECURE = False

Solution

  1. Step 1: Understand the role of SECURE_SSL_REDIRECT

    This setting forces HTTP requests to HTTPS, ensuring secure cookies are sent only over HTTPS.

  2. Step 2: Identify why cookies are sent over HTTP

    If SECURE_SSL_REDIRECT is not enabled, users can access the site over HTTP, so cookies may be sent insecurely despite SESSION_COOKIE_SECURE.

  3. Final Answer:

    You forgot to set SECURE_SSL_REDIRECT = True -> Option C

  4. Quick Check:

    Enable SECURE_SSL_REDIRECT to enforce HTTPS [OK]
Hint: Enable SECURE_SSL_REDIRECT to prevent HTTP cookie sending [OK]
Common Mistakes:
  • Assuming browser ignores secure cookie flag
  • Thinking CSRF_COOKIE_SECURE affects session cookies
  • Believing HTTPS is automatic without redirect
5. You want to secure your Django site so that session and CSRF cookies are only sent over HTTPS, and all HTTP requests redirect to HTTPS. Which combination of settings achieves this securely?
hard
A. SECURE_SSL_REDIRECT = True, SESSION_COOKIE_SECURE = True, CSRF_COOKIE_SECURE = True
B. SECURE_SSL_REDIRECT = False, SESSION_COOKIE_SECURE = True, CSRF_COOKIE_SECURE = True
C. SECURE_SSL_REDIRECT = True, SESSION_COOKIE_SECURE = False, CSRF_COOKIE_SECURE = False
D. SECURE_SSL_REDIRECT = False, SESSION_COOKIE_SECURE = False, CSRF_COOKIE_SECURE = False

Solution

  1. Step 1: Ensure HTTP requests redirect to HTTPS

    Setting SECURE_SSL_REDIRECT = True forces all HTTP requests to HTTPS, preventing insecure access.

  2. Step 2: Secure cookies for session and CSRF

    Setting both SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to True ensures cookies are only sent over HTTPS connections.

  3. Step 3: Evaluate other options

    The other options fail to secure either redirection or cookies properly, leaving security gaps.

  4. Final Answer:

    SECURE_SSL_REDIRECT = True, SESSION_COOKIE_SECURE = True, CSRF_COOKIE_SECURE = True -> Option A

  5. Quick Check:

    All three settings True secures HTTPS and cookies [OK]
Hint: Enable all three: redirect and secure cookies [OK]
Common Mistakes:
  • Not enabling HTTPS redirect
  • Leaving cookie secure flags False
  • Assuming one setting is enough alone