Set all cookies with sameSite: strict

Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite Signed-off-by: David Mehren <dmehren1@gmail.com>
author: David Mehren 2020-06-08 15:27:31 +0200
committer: David Mehren 2020-06-08 15:27:31 +0200
commit: e77e7b165ac4920290015ec4b95e651730009edc (patch)
tree: 15f7918b02634913082d760003a9b57dbd317f51 /app.js
parent: 49de5f5bd6239354d98b424804951974588ab25e (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/app.js b/app.js
index 930191ce..7a66a537 100644
--- a/app.js
+++ b/app.js
@@ -139,7 +139,8 @@ app.use(session({
   saveUninitialized: true, // always create session to ensure the origin
   rolling: true, // reset maxAge on every response
   cookie: {
-    maxAge: config.sessionLife
+    maxAge: config.sessionLife,
+    sameSite: 'strict'
   },
   store: sessionStore
 }))
author	David Mehren	2020-06-08 15:27:31 +0200
committer	David Mehren	2020-06-08 15:27:31 +0200
commit	e77e7b165ac4920290015ec4b95e651730009edc (patch)
tree	15f7918b02634913082d760003a9b57dbd317f51 /app.js
parent	49de5f5bd6239354d98b424804951974588ab25e (diff)