CSRF cookie is not working for HTTP

[misekm]

Cookie generated by CSRF middleware is containing attribute 'Secure', which means, that cookie can be transferred only by HTTPS. When using strict http client and using HTTP protocol (unsecured), cookie will not be send in following requests.

It would be good to check incoming request for type of protocol and set 'Secure' attribute based on that. Potentially event X-Forwarded-For headers.

In production it makes sense to use HTTPS, so this issue will not occur often. But for example for testing, there is no need for HTTPS at all and in such case this is an issue.