fix: LEAP-1713: Enhance CSRF Token Security (#6905)

HumanSignal · Jan 15, 2025 · 3a44207 · 3a44207
1 parent 53bdbcd
commit 3a44207
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/label_studio/core/settings/base.py b/label_studio/core/settings/base.py
@@ -428,6 +428,11 @@
 CSRF_COOKIE_HTTPONLY = bool(int(get_env('CSRF_COOKIE_HTTPONLY', SESSION_COOKIE_SECURE)))
 CSRF_COOKIE_SAMESITE = get_env('CSRF_COOKIE_SAMESITE', 'Lax')
 
+# default value is from django docs: https://docs.djangoproject.com/en/5.1/ref/settings/#csrf-cookie-age
+# approximately 1 year
+CSRF_COOKIE_AGE = int(get_env('CSRF_COOKIE_AGE', 31449600))
+
+
 # Inactivity user sessions
 INACTIVITY_SESSION_TIMEOUT_ENABLED = bool(int(get_env('INACTIVITY_SESSION_TIMEOUT_ENABLED', True)))
 # The most time a login will last, regardless of activity