diff options
author | Sheogorath | 2020-06-08 15:11:17 +0200 |
---|---|---|
committer | Sheogorath | 2020-06-08 16:09:49 +0200 |
commit | 383d791a50919bb9890a3f3f797ecc95125ab8bf (patch) | |
tree | dc0f3696daafa1e3d45834adf4507270a0bea90f | |
parent | 49de5f5bd6239354d98b424804951974588ab25e (diff) |
Ensure session cookies are secure
While HSTS should take care of most of this, setting cookies to be
secure, and only applied on same site helps to improve situations where
for whatever reason, downgrade attacks are still a thing.
This patch adds the `sameSite` and `secure` to the session cookie and
this way prevent all accidents where a browser may doesn't support HSTS
or HSTS is intentionally dropped.
Reference:
https://www.npmjs.com/package/express-session#cookiesecure
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
-rw-r--r-- | app.js | 4 |
1 files changed, 3 insertions, 1 deletions
@@ -139,7 +139,9 @@ app.use(session({ saveUninitialized: true, // always create session to ensure the origin rolling: true, // reset maxAge on every response cookie: { - maxAge: config.sessionLife + maxAge: config.sessionLife, + sameSite: true, + secure: config.useSSL || config.protocolUseSSL || false }, store: sessionStore })) |