mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2024-11-09 15:10:27 +00:00
Set SameSite on cookies
Setting this attribute on a cookie marks it as non-cross-site, so it is only send in requests to our own server. It is reasonable that no one else should need our session or csrf data. Setting it explicitly also prevents any issues from the ongoing change in browser behaviour [0] when it is unset. Seasurf supports the SameSite attribute starting with v0.3. As nothing obviously broke, I used the opportunity and updated all the way to the most recent version. The SeaSurf default for SameSite is already `Lax`, so it only needs to be set for the session cookie. [0] https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure
This commit is contained in:
parent
1a77524447
commit
52b704baeb
@ -2,6 +2,7 @@
|
||||
BIND_ADDRESS = '0.0.0.0'
|
||||
PORT = 80
|
||||
SQLALCHEMY_DATABASE_URI = 'sqlite:////data/powerdns-admin.db'
|
||||
SESSION_COOKIE_SAMESITE = 'Lax'
|
||||
CSRF_COOKIE_HTTPONLY = True
|
||||
|
||||
legal_envvars = (
|
||||
|
@ -10,6 +10,7 @@ PORT = 9191
|
||||
HSTS_ENABLED = False
|
||||
OFFLINE_MODE = False
|
||||
FILESYSTEM_SESSIONS_ENABLED = False
|
||||
SESSION_COOKIE_SAMESITE = 'Lax'
|
||||
CSRF_COOKIE_HTTPONLY = True
|
||||
|
||||
### DATABASE CONFIG
|
||||
|
@ -18,7 +18,7 @@ pytz==2020.1
|
||||
cssmin==0.2.0
|
||||
jsmin==3.0.0
|
||||
Authlib==0.15
|
||||
Flask-SeaSurf==0.2.2
|
||||
Flask-SeaSurf==1.1.1
|
||||
bravado-core==5.17.0
|
||||
lima==0.5
|
||||
pytest==6.1.1
|
||||
|
Loading…
Reference in New Issue
Block a user