Ensure session cookies are secure

While HSTS should take care of most of this, setting cookies to be
secure, and only applied on same site helps to improve situations where
for whatever reason, downgrade attacks are still a thing.

This patch adds the `sameSite` and `secure` to the session cookie and
this way prevent all accidents where a browser may doesn't support HSTS
or HSTS is intentionally dropped.

Reference:
https://www.npmjs.com/package/express-session#cookiesecure

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2020-06-08 15:11:17 +02:00
parent 49de5f5bd6
commit 383d791a50
No known key found for this signature in database
GPG key ID: C9B1C80737B9CE18

4
app.js
View file

@ -139,7 +139,9 @@ app.use(session({
saveUninitialized: true, // always create session to ensure the origin saveUninitialized: true, // always create session to ensure the origin
rolling: true, // reset maxAge on every response rolling: true, // reset maxAge on every response
cookie: { cookie: {
maxAge: config.sessionLife maxAge: config.sessionLife,
sameSite: true,
secure: config.useSSL || config.protocolUseSSL || false
}, },
store: sessionStore store: sessionStore
})) }))