[security] Set SameSite to strict instead of browser default (#606)

This commit is contained in:
tobi 2022-05-25 18:08:12 +02:00 committed by GitHub
parent a54efa09f9
commit f848aaa81f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -42,7 +42,7 @@ func SessionOptions() sessions.Options {
MaxAge: 120, // 2 minutes MaxAge: 120, // 2 minutes
Secure: viper.GetString(config.Keys.Protocol) == "https", // only use cookie over https Secure: viper.GetString(config.Keys.Protocol) == "https", // only use cookie over https
HttpOnly: true, // exclude javascript from inspecting cookie HttpOnly: true, // exclude javascript from inspecting cookie
SameSite: http.SameSiteDefaultMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 SameSite: http.SameSiteStrictMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
} }
} }