@@ -282,12 +282,15 @@ These configuration keys are used globally across all features.
282282 set a CSRF cookie.
283283 The complete set of parameters is described in Flask's `set_cookie `_ documentation.
284284
285- Default: ``{"samesite": "Strict", "httponly": False, "secure": False } ``
285+ Default: ``{"samesite": "Strict", "httponly": False, "secure": True } ``
286286
287287 .. versionchanged :: 4.1.0
288288 The 'key' attribute was deprecated in favor of a separate configuration
289289 variable :data: `SECURITY_CSRF_COOKIE_NAME `.
290290
291+ .. versionchanged :: 5.9.0
292+ ``secure `` default changed to ``True ``
293+
291294.. py :data :: SECURITY_CSRF_HEADER
292295
293296 The HTTP Header name that will contain the CSRF token. ``X-XSRF-Token ``
@@ -1436,12 +1439,24 @@ Configuration related to the two-factor authentication feature.
14361439 Default: ``"30 Days" ``.
14371440
14381441
1442+ .. py :data :: SECURITY_TWO_FACTOR_VALIDITY_COOKIE_NAME
1443+
1444+ Name for the two factor validity cookie.
1445+
1446+ Default: ``tf_validity ``
1447+
1448+ .. versionadded :: 5.9.0
1449+
14391450.. py :data :: SECURITY_TWO_FACTOR_VALIDITY_COOKIE
14401451
14411452 A dictionary containing the parameters of the two-factor validity cookie.
14421453 The complete set of parameters is described in Flask's `set_cookie `_ documentation.
14431454
1444- Default: ``{'httponly': True, 'secure': False, 'samesite': None} ``.
1455+ Default: ``{'httponly': True, 'secure': True, 'samesite': "Strict"} ``.
1456+
1457+
1458+ .. versionchanged :: 5.9.0
1459+ ``secure `` default changed to ``True ``. ``samesite `` default changed to ``Strict ``
14451460
14461461.. py :data :: SECURITY_TWO_FACTOR_IMPLEMENTATIONS
14471462
0 commit comments