Ensure session cookies are secure

While HSTS should take care of most of this, setting cookies to be secure, and only applied on same site helps to improve situations where for whatever reason, downgrade attacks are still a thing. This patch adds the `sameSite` and `secure` to the session cookie and this way prevent all accidents where a browser may doesn't support HSTS or HSTS is intentionally dropped. Reference: https://www.npmjs.com/package/express-session#cookiesecure Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
author: Sheogorath 2020-06-08 15:11:17 +0200
committer: Sheogorath 2020-06-08 16:09:49 +0200
commit: 383d791a50919bb9890a3f3f797ecc95125ab8bf (patch)
tree: dc0f3696daafa1e3d45834adf4507270a0bea90f /app.js
parent: 49de5f5bd6239354d98b424804951974588ab25e (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/app.js b/app.js
index 930191ce..36cfe64a 100644
--- a/app.js
+++ b/app.js
@@ -139,7 +139,9 @@ app.use(session({
   saveUninitialized: true, // always create session to ensure the origin
   rolling: true, // reset maxAge on every response
   cookie: {
-    maxAge: config.sessionLife
+    maxAge: config.sessionLife,
+    sameSite: true,
+    secure: config.useSSL || config.protocolUseSSL || false
   },
   store: sessionStore
 }))
author	Sheogorath	2020-06-08 15:11:17 +0200
committer	Sheogorath	2020-06-08 16:09:49 +0200
commit	383d791a50919bb9890a3f3f797ecc95125ab8bf (patch)
tree	dc0f3696daafa1e3d45834adf4507270a0bea90f /app.js
parent	49de5f5bd6239354d98b424804951974588ab25e (diff)