diff --git a/docs/releases/1.4.txt b/docs/releases/1.4.txt
index 9275ac6ffeb..10cbe3dba9b 100644
--- a/docs/releases/1.4.txt
+++ b/docs/releases/1.4.txt
@@ -498,9 +498,6 @@ Django 1.4 also includes several smaller improvements worth noting:
 * Added the :djadminopt:`--no-location` option to the :djadmin:`makemessages`
   command.
 
-* Changed the default value for ``httponly`` on session cookies to
-  ``True`` to help reduce the impact of potential XSS attacks.
-
 * Changed the ``locmem`` cache backend to use
   ``pickle.HIGHEST_PROTOCOL`` for better compatibility with the other
   cache backends.
@@ -948,3 +945,11 @@ Now, the flags are keyword arguments of :meth:`@register.filter
         return value
 
 See :ref:`filters and auto-escaping <filters-auto-escaping>` for more information.
+
+Session cookies now have the ``httponly`` flag by default
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Session cookies now include the ``httponly`` attribute by default to
+help reduce the impact of potential XSS attacks. For strict backwards
+compatibility, use ``SESSION_COOKIE_HTTPONLY = False`` in settings.
+