From fd1d9203098ed3526af49d4b64f1e46937afa18c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=A4=A9=E8=88=9F?= <tianzhouchen@gmail.com>
Date: Mon, 18 Oct 2021 16:42:47 +0800
Subject: [PATCH] Set cookie samesite to STRICT to precent CSRF

Found by huntr.dev
---
 server/jwt.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/jwt.go b/server/jwt.go
index 53a61aab4a5233..da20c855f2498f 100644
--- a/server/jwt.go
+++ b/server/jwt.go
@@ -126,6 +126,7 @@ func setTokenCookie(c echo.Context, name, token string, expiration time.Time) {
 	// Http-only helps mitigate the risk of client side script accessing the protected cookie.
 	cookie.HttpOnly = true
 	cookie.Secure = true
+	cookie.SameSite = http.SameSiteStrictMode
 	c.SetCookie(cookie)
 }
 
@@ -147,6 +148,7 @@ func setUserCookie(c echo.Context, user *api.Principal, expiration time.Time) {
 	cookie.Expires = expiration
 	cookie.Path = "/"
 	cookie.Secure = true
+	cookie.SameSite = http.SameSiteStrictMode
 	c.SetCookie(cookie)
 }