diff options
| author | mo khan <mo@mokhan.ca> | 2025-04-29 09:02:47 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-04-29 09:02:47 -0600 |
| commit | 65389b93922e193be8769609e29fff6243147a9c (patch) | |
| tree | ce0eb5300c4ab281bac6f30832d8ae1e0b2fe9eb /pkg/web/cookie | |
| parent | 9b6982dd53c16b6ec7d333e621429781ac1653f7 (diff) | |
Use secure and http flag on cookies everywhere
> A cookie with the Secure attribute is only sent to the server with
> an encrypted request over the HTTPS protocol. It's never sent with
> unsecured HTTP (except on localhost), which means man-in-the-middle
> attackers can't access it easily. Insecure sites (with http: in the
> URL) can't set cookies with the Secure attribute. However, don't
> assume that Secure prevents all access to sensitive information in
> cookies. For example, someone with access to the client's hard disk
> (or JavaScript if the HttpOnly attribute isn't set) can read and
> modify the information.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies
Diffstat (limited to 'pkg/web/cookie')
| -rw-r--r-- | pkg/web/cookie/cookie_test.go | 2 | ||||
| -rw-r--r-- | pkg/web/cookie/new.go | 5 |
2 files changed, 3 insertions, 4 deletions
diff --git a/pkg/web/cookie/cookie_test.go b/pkg/web/cookie/cookie_test.go index c91efdc..9ac1817 100644 --- a/pkg/web/cookie/cookie_test.go +++ b/pkg/web/cookie/cookie_test.go @@ -11,7 +11,7 @@ import ( func TestCookie(t *testing.T) { t.Run("New", func(t *testing.T) { t.Run("returns a cookie pinned to the HOST", func(t *testing.T) { - env.With(env.Vars{"HOST": "sparkle.example.com", "APP_ENV": "production"}, func() { + env.With(env.Vars{"HOST": "sparkle.example.com"}, func() { cookie := New("name", "value", time.Now().Add(1*time.Minute)) assert.Equal(t, cookie.Domain, "sparkle.example.com") assert.Equal(t, cookie.HttpOnly, true) diff --git a/pkg/web/cookie/new.go b/pkg/web/cookie/new.go index e1d8477..335b305 100644 --- a/pkg/web/cookie/new.go +++ b/pkg/web/cookie/new.go @@ -8,15 +8,14 @@ import ( ) func New(name, value string, expires time.Time) *http.Cookie { - production := env.Fetch("APP_ENV", "development") == "production" return &http.Cookie{ Name: name, Value: value, // TODO:: digitally sign the value Expires: expires, MaxAge: int(time.Until(expires).Seconds()), Path: "/", - HttpOnly: production, - Secure: production, + HttpOnly: true, + Secure: true, SameSite: http.SameSiteDefaultMode, Domain: env.Fetch("HOST", "localhost"), } |