From 11b1d0e84c1d5618491fb214624d5f2b48e3a536 Mon Sep 17 00:00:00 2001
From: Bill Nottingham <notting@splat.cc>
Date: Thu, 16 Apr 2020 15:34:31 -0400
Subject: [PATCH] Flip CSRF_COOKIE_SECURE docs.

I think this was backwards.
---
 docs/auth/session.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/auth/session.md b/docs/auth/session.md
index 08c65c17a2..65cc097f83 100644
--- a/docs/auth/session.md
+++ b/docs/auth/session.md
@@ -14,7 +14,7 @@ hijack cookies will only get the `session_id` itself, which does not imply any c
 a limited time, and can be revoked at any time.
 
 > Note: The CSRF token will by default allow HTTP.  To increase security, the `CSRF_COOKIE_SECURE` setting should
-be set to False.  
+be set to True.
 
 
 ## Usage