This sets the __Host- prefix to the Pleroma session cookie. A browser will only accept a cookie with this prefix if it fulfills the following requirements:
-
Secureattributes needs to be set - URI scheme must be considered secure by browser
-
Set-Cookiedoes not contain aDomainattribute. The cookie is only sent to the host which sets it. -
Pathneeds to be set to/. The cookie is sent at every request.
Browsers with no support (IE and Edge) will just ignore the prefix and treat it as part of the name.
Example scenario
A user visits the website for the first time over HTTP and an attacker intercepts the connection and plants a session cookie. Pleroma now thinks, that the user already has the cookie and uses the attacker controlled session. The __Host- prefix prevents this attack, because the session cookie can now only be set over a secure connection.