From 11f44cfea71f0284458fef402294aa03318c8d2d Mon Sep 17 00:00:00 2001
From: Mark Story <mark@mark-story.com>
Date: Thu, 31 Dec 2015 13:13:33 -0500
Subject: [PATCH] Default CSRF token to Httponly.

While this _could_ be backwards incompatible. I think it is a safer
default to start new applications with.
---
 src/Controller/Component/CsrfComponent.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Controller/Component/CsrfComponent.php b/src/Controller/Component/CsrfComponent.php
index 0235cf732e9..e23154aa6ee 100644
--- a/src/Controller/Component/CsrfComponent.php
+++ b/src/Controller/Component/CsrfComponent.php
@@ -46,7 +46,7 @@ class CsrfComponent extends Component
      *  - cookieName = The name of the cookie to send.
      *  - expiry = How long the CSRF token should last. Defaults to browser session.
      *  - secure = Whether or not the cookie will be set with the Secure flag. Defaults to false.
-     *  - httpOnly = Whether or not the cookie will be set with the HttpOnly flag. Defaults to false.
+     *  - httpOnly = Whether or not the cookie will be set with the HttpOnly flag. Defaults to true.
      *  - field = The form field to check. Changing this will also require configuring
      *    FormHelper.
      *
@@ -56,7 +56,7 @@ class CsrfComponent extends Component
         'cookieName' => 'csrfToken',
         'expiry' => 0,
         'secure' => false,
-        'httpOnly' => false,
+        'httpOnly' => true,
         'field' => '_csrfToken',
     ];