From 65389b93922e193be8769609e29fff6243147a9c Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 29 Apr 2025 09:02:47 -0600
Subject: Use secure and http flag on cookies everywhere

> A cookie with the Secure attribute is only sent to the server with
> an encrypted request over the HTTPS protocol. It's never sent with
> unsecured HTTP (except on localhost), which means man-in-the-middle
> attackers can't access it easily. Insecure sites (with http: in the
> URL) can't set cookies with the Secure attribute. However, don't
> assume that Secure prevents all access to sensitive information in
> cookies. For example, someone with access to the client's hard disk
> (or JavaScript if the HttpOnly attribute isn't set) can read and
> modify the information.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies
---
 pkg/web/cookie/cookie_test.go | 2 +-
 pkg/web/cookie/new.go         | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

(limited to 'pkg/web')

diff --git a/pkg/web/cookie/cookie_test.go b/pkg/web/cookie/cookie_test.go
index c91efdc..9ac1817 100644
--- a/pkg/web/cookie/cookie_test.go
+++ b/pkg/web/cookie/cookie_test.go
@@ -11,7 +11,7 @@ import (
 func TestCookie(t *testing.T) {
 	t.Run("New", func(t *testing.T) {
 		t.Run("returns a cookie pinned to the HOST", func(t *testing.T) {
-			env.With(env.Vars{"HOST": "sparkle.example.com", "APP_ENV": "production"}, func() {
+			env.With(env.Vars{"HOST": "sparkle.example.com"}, func() {
 				cookie := New("name", "value", time.Now().Add(1*time.Minute))
 				assert.Equal(t, cookie.Domain, "sparkle.example.com")
 				assert.Equal(t, cookie.HttpOnly, true)
diff --git a/pkg/web/cookie/new.go b/pkg/web/cookie/new.go
index e1d8477..335b305 100644
--- a/pkg/web/cookie/new.go
+++ b/pkg/web/cookie/new.go
@@ -8,15 +8,14 @@ import (
 )
 
 func New(name, value string, expires time.Time) *http.Cookie {
-	production := env.Fetch("APP_ENV", "development") == "production"
 	return &http.Cookie{
 		Name:     name,
 		Value:    value, // TODO:: digitally sign the value
 		Expires:  expires,
 		MaxAge:   int(time.Until(expires).Seconds()),
 		Path:     "/",
-		HttpOnly: production,
-		Secure:   production,
+		HttpOnly: true,
+		Secure:   true,
 		SameSite: http.SameSiteDefaultMode,
 		Domain:   env.Fetch("HOST", "localhost"),
 	}
-- 
cgit v1.2.3