On the __cfduid cookie, SameSite is set to Lax, which may be out of our control because it's a CloudFlare thing, but maybe there's a setting for it. I think it could be set to Strict from a technical point of view, but of course it would be bad for CloudFlare's evil tracking.
On the connect.sid cookie, Secure is false which is #336, but also SameSite is None which can definitely be improved. Setting it to Lax should provide a line of defense against CSRF without compromising functionality. Strict is probably too strict: iiuc, links from external sites would no longer send the cookie on first request, making it appear as if you are logged out.
Voici:
On the
__cfduidcookie,SameSiteis set toLax, which may be out of our control because it's a CloudFlare thing, but maybe there's a setting for it. I think it could be set toStrictfrom a technical point of view, but of course it would be bad for CloudFlare's evil tracking.On the
connect.sidcookie,Secureisfalsewhich is #336, but alsoSameSiteisNonewhich can definitely be improved. Setting it toLaxshould provide a line of defense against CSRF without compromising functionality.Strictis probably too strict: iiuc, links from external sites would no longer send the cookie on first request, making it appear as if you are logged out.