SameSite + httpOnly CSRF cookie

3 months ago · 25fbed4d44
parent 5c3b6351d8
commit 25fbed4d44
1 changed files with 4 additions and 2 deletions
--- a/cmd/owl/web/handler.go
+++ b/cmd/owl/web/handler.go
@ -180,8 +180,10 @@ func userAuthHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Reque
 		// https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
 		csrfToken := owl.GenerateRandomString(32)
 		cookie := http.Cookie{
-			Name:  "csrf_token",
-			Value: csrfToken,
+			Name:     "csrf_token",
+			Value:    csrfToken,
+			HttpOnly: true,
+			SameSite: http.SameSiteStrictMode,
 		}
 		http.SetCookie(w, &cookie)