[security] Set SameSite to strict instead of browser default (#606)

2024-10-31 22:40:01 +00:00 · 2022-05-25 18:08:12 +02:00 · 2022-05-25 18:08:12 +02:00 · f848aaa81f
commit f848aaa81f
parent a54efa09f9
1 changed files with 1 additions and 1 deletions
--- a/internal/router/session.go
+++ b/internal/router/session.go
@ -42,7 +42,7 @@ func SessionOptions() sessions.Options {
 		MaxAge:   120,                                              // 2 minutes
 		Secure:   viper.GetString(config.Keys.Protocol) == "https", // only use cookie over https
 		HttpOnly: true,                                             // exclude javascript from inspecting cookie
-		SameSite: http.SameSiteDefaultMode,                         // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+		SameSite: http.SameSiteStrictMode,                          // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
 	}
 }