From 0827fb2c24044daf0f13a3a1271c199988e0259e Mon Sep 17 00:00:00 2001
From: David Hoppenbrouwers <david@salt-inc.org>
Date: Thu, 26 Jan 2023 09:34:26 +0100
Subject: [PATCH 1/2] Fix cookie SameSite not being set

---
 Makefile | 4 +++-
 main.py  | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index a249d6a..b852cd6 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@ SQLITE = sqlite3
 
 default: venv
 
-test:: venv
+test: venv
 	test/all.sh
 
 venv:
@@ -13,3 +13,5 @@ venv:
 
 forum.db:
 	$(SQLITE) $@ < schema.txt
+
+.PHONY: test
diff --git a/main.py b/main.py
index 40bc13e..b6c47fc 100644
--- a/main.py
+++ b/main.py
@@ -14,6 +14,11 @@
 app = Flask(__name__)
 db = DB(os.getenv('DB'))
 
+# This defaults to None, which allows CSRF attacks in FireFox
+# and older versions of Chrome.
+# 'Lax' is sufficient to prevent malicious POST requests.
+app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
+
 class Config:
     pass
 config = Config()

From a372d7d4e77b6b43e5c7474494bd1c2aaeb41f6d Mon Sep 17 00:00:00 2001
From: David Hoppenbrouwers <david@salt-inc.org>
Date: Wed, 1 Feb 2023 12:02:08 +0100
Subject: [PATCH 2/2] Forbid iframes

This prevents clickjacking attacks.
---
 main.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/main.py b/main.py
index b6c47fc..df78fb3 100644
--- a/main.py
+++ b/main.py
@@ -33,6 +33,13 @@ class Role:
     MODERATOR = 1
     ADMIN = 2
 
+@app.after_request
+def after_request(response):
+    # This forbids other sites from embedding this site in an iframe,
+    # preventing clickjacking attacks.
+    response.headers['X-Frame-Options'] = 'DENY'
+    return response
+
 @app.route('/')
 def index():
     return render_template(