feat: ensure cookie is not accessible to js and one transmitted over tls in production

2 files changed, 11 insertions, 8 deletions

diff --git a/pkg/web/cookie/cookie_test.go b/pkg/web/cookie/cookie_test.go
index 17e3d88..c91efdc 100644
--- a/pkg/web/cookie/cookie_test.go
+++ b/pkg/web/cookie/cookie_test.go
@@ -11,9 +11,11 @@ import (
 func TestCookie(t *testing.T) {
 	t.Run("New", func(t *testing.T) {
 		t.Run("returns a cookie pinned to the HOST", func(t *testing.T) {
-			env.With(env.Vars{"HOST": "sparkle.example.com"}, func() {
+			env.With(env.Vars{"HOST": "sparkle.example.com", "APP_ENV": "production"}, func() {
 				cookie := New("name", "value", time.Now().Add(1*time.Minute))
 				assert.Equal(t, cookie.Domain, "sparkle.example.com")
+				assert.Equal(t, cookie.HttpOnly, true)
+				assert.Equal(t, cookie.Secure, true)
 			})
 		})
 	})
diff --git a/pkg/web/cookie/new.go b/pkg/web/cookie/new.go
index 2809640..e1d8477 100644
--- a/pkg/web/cookie/new.go
+++ b/pkg/web/cookie/new.go
@@ -8,14 +8,15 @@ import (
 )
 
 func New(name, value string, expires time.Time) *http.Cookie {
+	production := env.Fetch("APP_ENV", "development") == "production"
 	return &http.Cookie{
-		Name:    name,
-		Value:   value, // TODO:: digitally sign the value
-		Expires: expires,
-		MaxAge:  int(time.Until(expires).Seconds()),
-		Path:    "/",
-		// HttpOnly: true,
-		// Secure:   true,
+		Name:     name,
+		Value:    value, // TODO:: digitally sign the value
+		Expires:  expires,
+		MaxAge:   int(time.Until(expires).Seconds()),
+		Path:     "/",
+		HttpOnly: production,
+		Secure:   production,
 		SameSite: http.SameSiteDefaultMode,
 		Domain:   env.Fetch("HOST", "localhost"),
 	}