From f848aaa81f04666dae29e0bb85ccf31d30574de7 Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Wed, 25 May 2022 18:08:12 +0200 Subject: [PATCH] [security] Set SameSite to `strict` instead of browser default (#606) --- internal/router/session.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/router/session.go b/internal/router/session.go index 4c83b5902..a2cbff7d1 100644 --- a/internal/router/session.go +++ b/internal/router/session.go @@ -42,7 +42,7 @@ func SessionOptions() sessions.Options { MaxAge: 120, // 2 minutes Secure: viper.GetString(config.Keys.Protocol) == "https", // only use cookie over https HttpOnly: true, // exclude javascript from inspecting cookie - SameSite: http.SameSiteDefaultMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 + SameSite: http.SameSiteStrictMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 } }