From 1864d61d6c20e275e9196deff6c8f3de78fcee3d Mon Sep 17 00:00:00 2001 From: Ben Falk Date: Fri, 13 Sep 2019 14:36:35 -0400 Subject: [PATCH] [2.2.x] Fixed typos in docs/ref/settings.txt. Backport of 4056558a1c9cf650ab6e7cb1a319206d2e8c770f from master. --- docs/ref/settings.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 9618f1f039..7937995442 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -323,7 +323,7 @@ protection is safe from cross-subdomain attacks by default - please see the Default: ``False`` Whether to use ``HttpOnly`` flag on the CSRF cookie. If this is set to -``True``, client-side JavaScript will not to be able to access the CSRF cookie. +``True``, client-side JavaScript will not be able to access the CSRF cookie. Designating the CSRF cookie as ``HttpOnly`` doesn't offer any practical protection because CSRF is only to protect against cross-domain attacks. If an @@ -3012,7 +3012,7 @@ This setting also affects cookies set by :mod:`django.contrib.messages`. Default: ``True`` Whether to use ``HttpOnly`` flag on the session cookie. If this is set to -``True``, client-side JavaScript will not to be able to access the session +``True``, client-side JavaScript will not be able to access the session cookie. HttpOnly_ is a flag included in a Set-Cookie HTTP response header. It's part of