search

ackama / rails-template

Application template for Rails 7 projects; preloaded with best practices for TDD, security, deployment, and developer productivity.
Other
294 stars 15 forks source link

Can we make the session cookie SameSite=Strict (currently defaulting to SameSite=Lax)? #532

Open eoinkelly opened 6 months ago

eoinkelly commented 6 months ago

I might be missing something but I have not yet found a reason why we cannot set SameSite=Strict on the Rails session cookie. This is a very minor security win but will likely tick some lower priority boxes in pen tests.

The change would be something along the lines of:

# config/application.rb

  # Specify cookies SameSite protection level: either :none, :lax, or :strict.
  config.action_dispatch.cookies_same_site_protection = :strict # defaults to :lax

Background

lukeify commented 6 months ago

:strict makes sense as a default (as discussed at Ruby Guild on 8th March)