Use more secure cookie settings.

2025-02-12 22:01:30 -05:00 · 2025-02-12 22:01:30 -05:00 · d2d8c02a2f
commit d2d8c02a2f
parent 02a58946f1
1 changed files with 11 additions and 2 deletions
--- a/pkg/handlers/router.go
+++ b/pkg/handlers/router.go
@ -26,6 +26,12 @@ func BuildRouter(c *services.Container) error {
 		g.Use(echomw.HTTPSRedirect())
 	}

+	// Create a cookie store for session data
+	cookieStore := sessions.NewCookieStore([]byte(c.Config.App.EncryptionKey))
+	cookieStore.Options.HttpOnly = true
+	cookieStore.Options.Secure = true
+	cookieStore.Options.SameSite = http.SameSiteStrictMode
+
 	g.Use(
 		echomw.RemoveTrailingSlashWithConfig(echomw.TrailingSlashConfig{
 			RedirectCode: http.StatusMovedPermanently,
@ -39,11 +45,14 @@ func BuildRouter(c *services.Container) error {
 		echomw.TimeoutWithConfig(echomw.TimeoutConfig{
 			Timeout: c.Config.App.Timeout,
 		}),
-		middleware.Session(sessions.NewCookieStore([]byte(c.Config.App.EncryptionKey))),
+		middleware.Session(cookieStore),
 		middleware.LoadAuthenticatedUser(c.Auth),
 		middleware.ServeCachedPage(c.TemplateRenderer),
 		echomw.CSRFWithConfig(echomw.CSRFConfig{
-			TokenLookup: "form:csrf",
+			TokenLookup:    "form:csrf",
+			CookieHTTPOnly: true,
+			CookieSecure:   true,
+			CookieSameSite: http.SameSiteStrictMode,
 		}),
 	)