Fix production cookie settings

evershopcommerce · Jul 18, 2024 · 18f5019 · treoden · Jul 19, 2024 · MarwanRadwan7
1 parent f76e5db
commit 18f5019
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/packages/evershop/bin/lib/addDefaultMiddlewareFuncs.js b/packages/evershop/bin/lib/addDefaultMiddlewareFuncs.js
@@ -86,7 +86,8 @@ exports.addDefaultMiddlewareFuncs = function addDefaultMiddlewareFuncs(
 
   if (isProductionMode()) {
     app.set('trust proxy', 1);
-    sess.cookie.secure = false;
+    sess.cookie.secure = true; // HTTPS
+    sess.cookie.sameSite = 'strict'; // Prevent CSRF attacks
   }
 
   const adminSessionMiddleware = session({