What’s new in Tornado 6.3.0

Apr 17, 2023


  • The new Application setting xsrf_cookie_name can now be used to take advantage of the __Host cookie prefix for improved security. To use it, add {"xsrf_cookie_name": "__Host-xsrf", "xsrf_cookie_kwargs": {"secure": True}} to your Application settings. Note that this feature currently only works when HTTPS is used.

  • WSGIContainer now supports running the application in a ThreadPoolExecutor so the event loop is no longer blocked.

  • AsyncTestCase and AsyncHTTPTestCase, which were deprecated in Tornado 6.2, are no longer deprecated.

  • WebSockets are now much faster at receiving large messages split into many fragments.

General changes

  • Python 3.7 is no longer supported; the minimum supported Python version is 3.8. Python 3.12 is now supported.

  • To avoid spurious deprecation warnings, users of Python 3.10 should upgrade to at least version 3.10.9, and users of Python 3.11 should upgrade to at least version 3.11.1.

  • Tornado submodules are now imported automatically on demand. This means it is now possible to use a single import tornado statement and refer to objects in submodules such as tornado.web.RequestHandler.

Deprecation notices



  • contextvars now work properly when a @gen.coroutine calls a native coroutine.


  • parse_config_file now recognizes single comma-separated strings (in addition to lists of strings) for options with multiple=True.


  • New Application setting xsrf_cookie_name can be used to change the name of the XSRF cookie. This is most useful to take advantage of the __Host- cookie prefix.

  • RequestHandler.get_secure_cookie and RequestHandler.set_secure_cookie (and related methods and attributes) have been renamed to get_signed_cookie and set_signed_cookie. This makes it more explicit what kind of security is provided, and avoids confusion with the Secure cookie attribute and __Secure- cookie prefix. The old names remain supported as deprecated aliases.

  • RequestHandler.clear_cookie now accepts all keyword arguments accepted by set_cookie. In some cases clearing a cookie requires certain arguments to be passed the same way in which it was set.

  • RequestHandler.clear_all_cookies now accepts additional keyword arguments for the same reason as clear_cookie. However, since the requirements for additional arguments mean that it cannot reliably clear all cookies, this method is now deprecated.


  • It is now much faster (no longer quadratic) to receive large messages that have been split into many fragments.

  • websocket_connect now accepts a resolver parameter.


  • WSGIContainer now accepts an executor parameter which can be used to run the WSGI application on a thread pool.