Set cookie samesite to STRICT to precent CSRF

Found by huntr.dev
bytebase · Oct 18, 2021 · fd1d920 · fd1d920
1 parent d21ac42
commit fd1d920
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/server/jwt.go b/server/jwt.go
@@ -126,6 +126,7 @@ func setTokenCookie(c echo.Context, name, token string, expiration time.Time) {
 	// Http-only helps mitigate the risk of client side script accessing the protected cookie.
 	cookie.HttpOnly = true
 	cookie.Secure = true
+	cookie.SameSite = http.SameSiteStrictMode
 	c.SetCookie(cookie)
 }
 
@@ -147,6 +148,7 @@ func setUserCookie(c echo.Context, user *api.Principal, expiration time.Time) {
 	cookie.Expires = expiration
 	cookie.Path = "/"
 	cookie.Secure = true
+	cookie.SameSite = http.SameSiteStrictMode
 	c.SetCookie(cookie)
 }