mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-28 23:44:34 -05:00
Ensure session cookies are secure
While HSTS should take care of most of this, setting cookies to be secure, and only applied on same site helps to improve situations where for whatever reason, downgrade attacks are still a thing. This patch adds the `sameSite` and `secure` to the session cookie and this way prevent all accidents where a browser may doesn't support HSTS or HSTS is intentionally dropped. Reference: https://www.npmjs.com/package/express-session#cookiesecure Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
parent
49de5f5bd6
commit
383d791a50
1 changed files with 3 additions and 1 deletions
4
app.js
4
app.js
|
@ -139,7 +139,9 @@ app.use(session({
|
||||||
saveUninitialized: true, // always create session to ensure the origin
|
saveUninitialized: true, // always create session to ensure the origin
|
||||||
rolling: true, // reset maxAge on every response
|
rolling: true, // reset maxAge on every response
|
||||||
cookie: {
|
cookie: {
|
||||||
maxAge: config.sessionLife
|
maxAge: config.sessionLife,
|
||||||
|
sameSite: true,
|
||||||
|
secure: config.useSSL || config.protocolUseSSL || false
|
||||||
},
|
},
|
||||||
store: sessionStore
|
store: sessionStore
|
||||||
}))
|
}))
|
||||||
|
|
Loading…
Reference in a new issue