SameSite + httpOnly CSRF cookie

This commit is contained in:
Niko Abeler 2022-11-07 21:24:39 +01:00
parent 5c3b6351d8
commit 25fbed4d44
1 changed files with 4 additions and 2 deletions

View File

@ -180,8 +180,10 @@ func userAuthHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Reque
// https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie // https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie
csrfToken := owl.GenerateRandomString(32) csrfToken := owl.GenerateRandomString(32)
cookie := http.Cookie{ cookie := http.Cookie{
Name: "csrf_token", Name: "csrf_token",
Value: csrfToken, Value: csrfToken,
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
} }
http.SetCookie(w, &cookie) http.SetCookie(w, &cookie)