Set SameSite on cookies

Setting this attribute on a cookie marks it as non-cross-site, so it is only send in requests to our own server. It is reasonable that no one else should need our session or csrf data. Setting it explicitly also prevents any issues from the ongoing change in browser behaviour [0] when it is unset. Seasurf supports the SameSite attribute starting with v0.3. As nothing obviously broke, I used the opportunity and updated all the way to the most recent version. The SeaSurf default for SameSite is already `Lax`, so it only needs to be set for the session cookie. [0] https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
2024-09-18 22:39:36 +00:00 · 2022-05-31 00:35:04 +02:00 · 2022-05-31 00:35:04 +02:00 · 52b704baeb
commit 52b704baeb
parent 1a77524447
3 changed files with 3 additions and 1 deletions
--- a/configs/docker_config.py
+++ b/configs/docker_config.py
@ -2,6 +2,7 @@
 BIND_ADDRESS = '0.0.0.0'
 PORT = 80
 SQLALCHEMY_DATABASE_URI = 'sqlite:////data/powerdns-admin.db'
+SESSION_COOKIE_SAMESITE = 'Lax'
 CSRF_COOKIE_HTTPONLY = True

 legal_envvars = (
--- a/powerdnsadmin/default_config.py
+++ b/powerdnsadmin/default_config.py
@ -10,6 +10,7 @@ PORT = 9191
 HSTS_ENABLED = False
 OFFLINE_MODE = False
 FILESYSTEM_SESSIONS_ENABLED = False
+SESSION_COOKIE_SAMESITE = 'Lax'
 CSRF_COOKIE_HTTPONLY = True

 ### DATABASE CONFIG
--- a/requirements.txt
+++ b/requirements.txt
@ -18,7 +18,7 @@ pytz==2020.1
 cssmin==0.2.0
 jsmin==3.0.0
 Authlib==0.15
-Flask-SeaSurf==0.2.2
+Flask-SeaSurf==1.1.1
 bravado-core==5.17.0
 lima==0.5
 pytest==6.1.1