github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-10-19 13:50:15 -04:00
Code Issues Projects Releases Packages Wiki Activity

Ensure session cookies are secure

Browse source 
While HSTS should take care of most of this, setting cookies to be
secure, and only applied on same site helps to improve situations where
for whatever reason, downgrade attacks are still a thing.

This patch adds the `sameSite` and `secure` to the session cookie and
this way prevent all accidents where a browser may doesn't support HSTS
or HSTS is intentionally dropped.

Reference:
https://www.npmjs.com/package/express-session#cookiesecure

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2020-06-08 15:11:17 +02:00 committed by Dexter Chua
parent fb77878143
commit 8406f75bb7
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/lib/app.ts
View file

@ -182,7 +182,8 @@ app.use(session({
rolling: true, // reset maxAge on every response rolling: true, // reset maxAge on every response
cookie: { cookie: {
maxAge: config.sessionLife, maxAge: config.sessionLife,
sameSite: 'strict' sameSite: 'strict',
secure: config.useSSL || config.protocolUseSSL || false
}, },
store: sessionStore store: sessionStore
})) }))