Use secure and httponly csrf cookie

piccolo_api/csrf/middleware.py

@@ -46,6 +46,7 @@ def __init__(
         cookie_name: str = DEFAULT_COOKIE_NAME,
         header_name: str = DEFAULT_HEADER_NAME,
         max_age: int = ONE_YEAR,
+        production: bool = False, 
         allow_header_param: bool = True,
         allow_form_param: bool = False,
         **kwargs,
@@ -65,6 +66,8 @@ def __init__(
             different HTTP header.
         :param max_age:
             The max age of the cookie, in seconds.
+        :param production:
+            Whether the CSRF cookie should be secure.
         :param allow_header_param:
             Whether to look for the CSRF token in the HTTP headers.
         :param allow_form_param:
@@ -81,6 +84,7 @@ def __init__(
         self.cookie_name = cookie_name
         self.header_name = header_name
         self.max_age = max_age
+        self.production = production
         self.allow_header_param = allow_header_param
         self.allow_form_param = allow_form_param
         super().__init__(app, **kwargs)
@@ -120,6 +124,7 @@ async def dispatch(
                     self.cookie_name,
                     token,
                     max_age=self.max_age,
+                    secure=self.production,
                 )
             return response
         else: