Flip CSRF_COOKIE_SECURE docs.

I think this was backwards.
2026-01-10 15:32:07 -03:30 · 2020-04-16 15:34:31 -04:00 · 2020-04-16 15:34:31 -04:00 · 11b1d0e84c
commit 11b1d0e84c
parent f47325a532
1 changed files with 1 additions and 1 deletions
--- a/docs/auth/session.md
+++ b/docs/auth/session.md
@ -14,7 +14,7 @@ hijack cookies will only get the `session_id` itself, which does not imply any c
 a limited time, and can be revoked at any time.

 > Note: The CSRF token will by default allow HTTP.  To increase security, the `CSRF_COOKIE_SECURE` setting should
-be set to False.  
+be set to True.


 ## Usage