Bird
Raised Fist0
Djangoframework~5 mins

HTTPS and secure cookies in Django - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What does HTTPS stand for and why is it important?
HTTPS stands for HyperText Transfer Protocol Secure. It encrypts data between the user's browser and the server, protecting sensitive information from being intercepted.
Click to reveal answer
beginner
What is a secure cookie in Django?
A secure cookie is a cookie that is only sent over HTTPS connections. In Django, setting the 'SESSION_COOKIE_SECURE' or 'CSRF_COOKIE_SECURE' to True ensures cookies are sent securely.
Click to reveal answer
intermediate
How do you enable HTTPS in a Django project?
You enable HTTPS by configuring your web server (like Nginx or Apache) with SSL certificates and setting Django settings like 'SECURE_SSL_REDIRECT = True' to force HTTPS.
Click to reveal answer
intermediate
What does the 'HttpOnly' flag do for cookies?
The 'HttpOnly' flag prevents JavaScript from accessing the cookie, reducing the risk of cross-site scripting (XSS) attacks. In Django, set 'SESSION_COOKIE_HTTPONLY = True'.
Click to reveal answer
advanced
Why should you use 'SECURE_HSTS_SECONDS' in Django settings?
Setting 'SECURE_HSTS_SECONDS' enables HTTP Strict Transport Security (HSTS), telling browsers to only use HTTPS for your site for a set time, improving security.
Click to reveal answer
Which Django setting forces all requests to use HTTPS?
ASECURE_HSTS_SECONDS
BSESSION_COOKIE_SECURE
CCSRF_COOKIE_SECURE
DSECURE_SSL_REDIRECT
What does setting 'SESSION_COOKIE_SECURE = True' do?
ASends session cookies only over HTTPS
BMakes cookies accessible to JavaScript
CDisables cookies
DEncrypts cookie content
What is the purpose of the 'HttpOnly' flag on cookies?
AMakes cookies visible to all domains
BPrevents JavaScript access to cookies
CAllows cookies over HTTP only
DEncrypts cookies
Which protocol does HTTPS use to secure communication?
ASMTP
BFTP
CSSL/TLS
DHTTP/2
What does setting 'SECURE_HSTS_SECONDS' do in Django?
AEnforces browsers to use HTTPS for a set time
BDisables cookies
CRedirects HTTP to HTTPS immediately
DEnables HTTP caching
Explain how HTTPS and secure cookies work together to protect user data in a Django application.
Think about data safety during transmission and cookie security.
You got /4 concepts.
    Describe the key Django settings you would configure to ensure your site uses HTTPS and secure cookies.
    Focus on settings that control HTTPS enforcement and cookie security.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of setting SESSION_COOKIE_SECURE = True in Django settings?
      easy
      A. To allow cookies on both HTTP and HTTPS
      B. To make cookies accessible to JavaScript
      C. To disable cookies entirely
      D. To ensure cookies are only sent over HTTPS connections

      Solution

      1. Step 1: Understand what SESSION_COOKIE_SECURE does

        This setting tells Django to only send session cookies over HTTPS connections, preventing them from being sent over insecure HTTP.

      2. Step 2: Analyze the options

        To ensure cookies are only sent over HTTPS connections correctly describes this behavior. The other options do not match the purpose of this setting.

      3. Final Answer:

        To ensure cookies are only sent over HTTPS connections -> Option D

      4. Quick Check:

        SESSION_COOKIE_SECURE = True means HTTPS only [OK]
      Hint: Secure cookies only send on HTTPS connections [OK]
      Common Mistakes:
      • Thinking it makes cookies accessible to JavaScript
      • Believing it disables cookies
      • Assuming it allows cookies on HTTP
      2. Which of the following is the correct way to enable HTTPS redirection in Django settings?
      easy
      A. SECURE_SSL_REDIRECT = False
      B. SECURE_SSL_REDIRECT = True
      C. SESSION_COOKIE_SECURE = False
      D. CSRF_COOKIE_SECURE = False

      Solution

      1. Step 1: Identify the setting for HTTPS redirection

        The setting SECURE_SSL_REDIRECT controls whether Django redirects HTTP requests to HTTPS.

      2. Step 2: Choose the correct value to enable redirection

        Setting SECURE_SSL_REDIRECT = True enables automatic redirection to HTTPS. The other options either disable security or relate to cookies.

      3. Final Answer:

        SECURE_SSL_REDIRECT = True -> Option B

      4. Quick Check:

        Enable HTTPS redirect with SECURE_SSL_REDIRECT = True [OK]
      Hint: Set SECURE_SSL_REDIRECT to True to force HTTPS [OK]
      Common Mistakes:
      • Setting SECURE_SSL_REDIRECT to False disables HTTPS redirect
      • Confusing cookie settings with HTTPS redirect
      • Not enabling HTTPS redirect at all
      3. Given the following Django settings snippet, what will happen when a user accesses the site over HTTP?
      SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
      medium
      A. The user will be redirected to the HTTPS version of the site
      B. The session cookie will be sent over HTTP
      C. CSRF protection will be disabled
      D. The site will allow HTTP access without redirection

      Solution

      1. Step 1: Understand SECURE_SSL_REDIRECT = True

        This setting forces Django to redirect all HTTP requests to HTTPS automatically.

      2. Step 2: Analyze cookie settings

        Both SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE ensure cookies are only sent over HTTPS, but the redirect happens first.

      3. Final Answer:

        The user will be redirected to the HTTPS version of the site -> Option A

      4. Quick Check:

        SECURE_SSL_REDIRECT = True causes HTTPS redirect [OK]
      Hint: HTTPS redirect happens before cookies are sent [OK]
      Common Mistakes:
      • Thinking cookies are sent over HTTP despite redirect
      • Assuming CSRF protection is disabled
      • Believing HTTP access is allowed without redirect
      4. You set SESSION_COOKIE_SECURE = True but notice session cookies are still sent over HTTP. What is the most likely cause?
      medium
      A. The site is not using HTTPS, so cookies are sent anyway
      B. The browser does not support secure cookies
      C. You forgot to set SECURE_SSL_REDIRECT = True
      D. You need to set CSRF_COOKIE_SECURE = False

      Solution

      1. Step 1: Understand the role of SECURE_SSL_REDIRECT

        This setting forces HTTP requests to HTTPS, ensuring secure cookies are sent only over HTTPS.

      2. Step 2: Identify why cookies are sent over HTTP

        If SECURE_SSL_REDIRECT is not enabled, users can access the site over HTTP, so cookies may be sent insecurely despite SESSION_COOKIE_SECURE.

      3. Final Answer:

        You forgot to set SECURE_SSL_REDIRECT = True -> Option C

      4. Quick Check:

        Enable SECURE_SSL_REDIRECT to enforce HTTPS [OK]
      Hint: Enable SECURE_SSL_REDIRECT to prevent HTTP cookie sending [OK]
      Common Mistakes:
      • Assuming browser ignores secure cookie flag
      • Thinking CSRF_COOKIE_SECURE affects session cookies
      • Believing HTTPS is automatic without redirect
      5. You want to secure your Django site so that session and CSRF cookies are only sent over HTTPS, and all HTTP requests redirect to HTTPS. Which combination of settings achieves this securely?
      hard
      A. SECURE_SSL_REDIRECT = True, SESSION_COOKIE_SECURE = True, CSRF_COOKIE_SECURE = True
      B. SECURE_SSL_REDIRECT = False, SESSION_COOKIE_SECURE = True, CSRF_COOKIE_SECURE = True
      C. SECURE_SSL_REDIRECT = True, SESSION_COOKIE_SECURE = False, CSRF_COOKIE_SECURE = False
      D. SECURE_SSL_REDIRECT = False, SESSION_COOKIE_SECURE = False, CSRF_COOKIE_SECURE = False

      Solution

      1. Step 1: Ensure HTTP requests redirect to HTTPS

        Setting SECURE_SSL_REDIRECT = True forces all HTTP requests to HTTPS, preventing insecure access.

      2. Step 2: Secure cookies for session and CSRF

        Setting both SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE to True ensures cookies are only sent over HTTPS connections.

      3. Step 3: Evaluate other options

        The other options fail to secure either redirection or cookies properly, leaving security gaps.

      4. Final Answer:

        SECURE_SSL_REDIRECT = True, SESSION_COOKIE_SECURE = True, CSRF_COOKIE_SECURE = True -> Option A

      5. Quick Check:

        All three settings True secures HTTPS and cookies [OK]
      Hint: Enable all three: redirect and secure cookies [OK]
      Common Mistakes:
      • Not enabling HTTPS redirect
      • Leaving cookie secure flags False
      • Assuming one setting is enough alone