Add Secure and SameSite cookie flags
This adds the Secure
and SameSite=Lax
flags to the session cookie.
- Secure: Cookies with this flag are only accepted by the browser, if it is served over a secure connection aka HTTPs.
- SameSite: Cookies with this flag are not being sent in case of a cross-origin request. This provides some protection against cross-site request forgery attacks (CSRF).
The Secure
flag is enabled by default, but can be disabled in the config by setting secure_cookie_flag: false
in case no HTTPs is in use.
The SameSite
flag is set with the value Lax
which provides a balance between useability and security. The difference between Lax
and Strict
:
-
Lax: Coming from a third party origin, the cookie is being sent, when the cross-origin request is
safe
. (GET, HEAD, OPTIONS, and TRACE) - Strict: Strict disallows sending the cookie in all cases, if you are coming from another origin.
References: https://www.owasp.org/index.php/SameSite and https://scotthelme.co.uk/tough-cookies/