feat: use same site strict mode

> Strict causes the browser to only send the cookie in response to
> requests originating from the cookie's origin site. This should be
> used when you have cookies relating to functionality that will
> always be behind an initial navigation, such as authentication or
> storing shopping cart information.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#controlling_third-party_cookies_with_samesite

2 files changed, 6 insertions, 4 deletions

diff --git a/pkg/web/cookie/cookie_test.go b/pkg/web/cookie/cookie_test.go
index 9ac1817..f7f013d 100644
--- a/pkg/web/cookie/cookie_test.go
+++ b/pkg/web/cookie/cookie_test.go
@@ -1,6 +1,7 @@
 package cookie
 
 import (
+	"net/http"
 	"testing"
 	"time"
 
@@ -13,9 +14,10 @@ func TestCookie(t *testing.T) {
 		t.Run("returns a cookie pinned to the HOST", func(t *testing.T) {
 			env.With(env.Vars{"HOST": "sparkle.example.com"}, func() {
 				cookie := New("name", "value", time.Now().Add(1*time.Minute))
-				assert.Equal(t, cookie.Domain, "sparkle.example.com")
-				assert.Equal(t, cookie.HttpOnly, true)
-				assert.Equal(t, cookie.Secure, true)
+				assert.Equal(t, "sparkle.example.com", cookie.Domain)
+				assert.Equal(t, true, cookie.HttpOnly)
+				assert.Equal(t, true, cookie.Secure)
+				assert.Equal(t, http.SameSiteStrictMode, cookie.SameSite)
 			})
 		})
 	})
diff --git a/pkg/web/cookie/new.go b/pkg/web/cookie/new.go
index 335b305..d4d0700 100644
--- a/pkg/web/cookie/new.go
+++ b/pkg/web/cookie/new.go
@@ -16,7 +16,7 @@ func New(name, value string, expires time.Time) *http.Cookie {
 		Path:     "/",
 		HttpOnly: true,
 		Secure:   true,
-		SameSite: http.SameSiteDefaultMode,
+		SameSite: http.SameSiteStrictMode,
 		Domain:   env.Fetch("HOST", "localhost"),
 	}
 }