Skip to content
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.

Commit

Permalink
make session cookie even more secure
Browse files Browse the repository at this point in the history 
- assert that a cookie ought not to be sent along with cross-site requests
see https://tools.ietf.org/html/draft-west-first-party-cookies-07
- respect cookies with https requests only (although normally the proxy will block
http requests anyway)
  • Loading branch information
@karenetheridge
karenetheridge committed Jan 17, 2020
1 parent 1a83f6c commit 182914d
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions lib/Conch.pm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ sub startup {

$self->sessions->cookie_name('conch');
$self->sessions->default_expiration(86400); # 1 day
$self->sessions->samesite('Strict'); # do not send with cross-site requests
$self->sessions->secure(1) if $ENV{MOJO_MODE} eq 'production'; # https only

$self->plugin('Config');
$self->secrets(delete $self->config->{secrets});
Expand Down

0 comments on commit 182914d

Please sign in to comment.