Set strict defaults for CSRF

temporalio · May 19, 2022 · eb3d2b3 · eb3d2b3
1 parent 040e217
commit eb3d2b3
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/server/routes/auth.go b/server/routes/auth.go
@@ -142,7 +142,7 @@ func authenticateCb(ctx context.Context, config *oauth2.Config, provider *oidc.P
 			Path:     "/",
 			MaxAge:   7 * 24 * int(time.Hour.Seconds()),
 			HttpOnly: true,
-			SameSite: http.SameSiteNoneMode,
+			SameSite: http.SameSiteStrictMode,
 			Secure:   true,
 		}
 		sess.Values["access-token"] = &user.OAuth2Token.AccessToken
@@ -175,7 +175,7 @@ func logout(c echo.Context) error {
 		Path:     "/",
 		MaxAge:   -1,
 		HttpOnly: true,
-		SameSite: http.SameSiteNoneMode,
+		SameSite: http.SameSiteStrictMode,
 		Secure:   true,
 	}
 	sess.Save(c.Request(), c.Response())

diff --git a/server/server.go b/server/server.go
@@ -25,6 +25,7 @@ package server
 import (
 	"embed"
 	"fmt"
+	"net/http"
 
 	"github.com/gorilla/securecookie"
 	"github.com/gorilla/sessions"
@@ -85,7 +86,10 @@ func NewServer(opts ...server_options.ServerOption) *Server {
 	}))
 	e.Use(middleware.Secure())
 	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
-		CookiePath: "/",
+		CookiePath:     "/",
+		CookieHTTPOnly: true,
+		CookieSameSite: http.SameSiteStrictMode,
+		CookieSecure:   true,
 	}))
 	e.Use(session.Middleware(sessions.NewCookieStore(
 		securecookie.GenerateRandomKey(32),