From e77e7b165ac4920290015ec4b95e651730009edc Mon Sep 17 00:00:00 2001
From: David Mehren
Date: Mon, 8 Jun 2020 15:27:31 +0200
Subject: Set all cookies with sameSite: strict

Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Signed-off-by: David Mehren <dmehren1@gmail.com>
---
 app.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'app.js')

diff --git a/app.js b/app.js
index 930191ce..7a66a537 100644
--- a/app.js
+++ b/app.js
@@ -139,7 +139,8 @@ app.use(session({
   saveUninitialized: true, // always create session to ensure the origin
   rolling: true, // reset maxAge on every response
   cookie: {
-    maxAge: config.sessionLife
+    maxAge: config.sessionLife,
+    sameSite: 'strict'
   },
   store: sessionStore
 }))
-- 
cgit v1.2.3