Skip to content

Add Secure and SameSite cookie flags

shibayashi requested to merge shibayashi/pleroma:add-secure-and-samesite-cookie-flags into develop

This adds the Secure and SameSite=Lax flags to the session cookie.

  • Secure: Cookies with this flag are only accepted by the browser, if it is served over a secure connection aka HTTPs.
  • SameSite: Cookies with this flag are not being sent in case of a cross-origin request. This provides some protection against cross-site request forgery attacks (CSRF).

The Secure flag is enabled by default, but can be disabled in the config by setting secure_cookie_flag: false in case no HTTPs is in use.

The SameSite flag is set with the value Lax which provides a balance between useability and security. The difference between Lax and Strict:

  • Lax: Coming from a third party origin, the cookie is being sent, when the cross-origin request is safe. (GET, HEAD, OPTIONS, and TRACE)
  • Strict: Strict disallows sending the cookie in all cases, if you are coming from another origin.

References: https://www.owasp.org/index.php/SameSite and https://scotthelme.co.uk/tough-cookies/

Merge request reports