Check Cookies sent by Django integration · Issue #1839 · getsentry/sentry-python · GitHub
Skip to content

Check Cookies sent by Django integration #1839

Description

@antonpirker

Summary

Session cookie values logged in Sentry issues, allowing for impersonation if injected into a cookie.

Cause

The Sentry Python SDK (specifically the Django Integration) sends the cookie values by default. In addition, Sentry SaaS / self-hosted is configured to send_default_pii.

Recommended Remediation

The Sentry Python SDK’s Django Integration should be patched to never send the value for SESSION_COOKIE_NAME or CSRF_COOKIE_NAME. These values should be scrubbed regardless of the send_default_pii setting.

Other web framework integrations should have similar scrubbing put in place.

The default self-hosted installation configuration should not default to True for send_default_pii. Users are unlikely to change this and it should be opt-in.

Metadata

Metadata

Assignees

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions