From 8406f75bb781ba9e7876b3015cf3bb9cf4704205 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 8 Jun 2020 15:11:17 +0200
Subject: [PATCH] Ensure session cookies are secure

While HSTS should take care of most of this, setting cookies to be
secure, and only applied on same site helps to improve situations where
for whatever reason, downgrade attacks are still a thing.

This patch adds the `sameSite` and `secure` to the session cookie and
this way prevent all accidents where a browser may doesn't support HSTS
or HSTS is intentionally dropped.

Reference:
https://www.npmjs.com/package/express-session#cookiesecure

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
---
 src/lib/app.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lib/app.ts b/src/lib/app.ts
index b4a921df1..93a0399b9 100644
--- a/src/lib/app.ts
+++ b/src/lib/app.ts
@@ -182,7 +182,8 @@ app.use(session({
   rolling: true, // reset maxAge on every response
   cookie: {
     maxAge: config.sessionLife,
-    sameSite: 'strict'
+    sameSite: 'strict',
+    secure: config.useSSL || config.protocolUseSSL || false
   },
   store: sessionStore
 }))