SameSite + httpOnly CSRF cookie

cmd/owl/web/handler.go

@@ -182,6 +182,8 @@ func userAuthHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Reque
 		cookie := http.Cookie{
 			Name:     "csrf_token",
 			Value:    csrfToken,
+			HttpOnly: true,
+			SameSite: http.SameSiteStrictMode,
 		}
 		http.SetCookie(w, &cookie)