Section
2.1.9
Top Level
General

Set the HttpOnly flag on the session cookie. This prevents malicious scripts from accessing (stealing) the session cookie from the browser in IE and other browsers that support this feature.

Django

Django provides no built-in support for setting the HttpOnly flag.