From 25fbed4d4469f47a7b4da42e4c9a646dfeb7652c Mon Sep 17 00:00:00 2001
From: Niko Abeler <niko@rerere.org>
Date: Mon, 7 Nov 2022 21:24:39 +0100
Subject: [PATCH] SameSite + httpOnly CSRF cookie

---
 cmd/owl/web/handler.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/cmd/owl/web/handler.go b/cmd/owl/web/handler.go
index f9e5616..279fe5d 100644
--- a/cmd/owl/web/handler.go
+++ b/cmd/owl/web/handler.go
@@ -180,8 +180,10 @@ func userAuthHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Reque
 		// https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
 		csrfToken := owl.GenerateRandomString(32)
 		cookie := http.Cookie{
-			Name:  "csrf_token",
-			Value: csrfToken,
+			Name:     "csrf_token",
+			Value:    csrfToken,
+			HttpOnly: true,
+			SameSite: http.SameSiteStrictMode,
 		}
 		http.SetCookie(w, &cookie)