From eb3d2b36c33d60b974534eaefbf1ab8f9d3351ec Mon Sep 17 00:00:00 2001
From: feedmeapples <aksenov.ro@outlook.com>
Date: Thu, 19 May 2022 17:54:23 -0400
Subject: [PATCH] Set strict defaults for CSRF

---
 server/routes/auth.go | 4 ++--
 server/server.go      | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/server/routes/auth.go b/server/routes/auth.go
index 3b702b54ed..d7d3f2d6e9 100644
--- a/server/routes/auth.go
+++ b/server/routes/auth.go
@@ -142,7 +142,7 @@ func authenticateCb(ctx context.Context, config *oauth2.Config, provider *oidc.P
 			Path:     "/",
 			MaxAge:   7 * 24 * int(time.Hour.Seconds()),
 			HttpOnly: true,
-			SameSite: http.SameSiteNoneMode,
+			SameSite: http.SameSiteStrictMode,
 			Secure:   true,
 		}
 		sess.Values["access-token"] = &user.OAuth2Token.AccessToken
@@ -175,7 +175,7 @@ func logout(c echo.Context) error {
 		Path:     "/",
 		MaxAge:   -1,
 		HttpOnly: true,
-		SameSite: http.SameSiteNoneMode,
+		SameSite: http.SameSiteStrictMode,
 		Secure:   true,
 	}
 	sess.Save(c.Request(), c.Response())
diff --git a/server/server.go b/server/server.go
index 82f3de9f05..b4d77f86af 100644
--- a/server/server.go
+++ b/server/server.go
@@ -25,6 +25,7 @@ package server
 import (
 	"embed"
 	"fmt"
+	"net/http"
 
 	"github.com/gorilla/securecookie"
 	"github.com/gorilla/sessions"
@@ -85,7 +86,10 @@ func NewServer(opts ...server_options.ServerOption) *Server {
 	}))
 	e.Use(middleware.Secure())
 	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
-		CookiePath: "/",
+		CookiePath:     "/",
+		CookieHTTPOnly: true,
+		CookieSameSite: http.SameSiteStrictMode,
+		CookieSecure:   true,
 	}))
 	e.Use(session.Middleware(sessions.NewCookieStore(
 		securecookie.GenerateRandomKey(32),