Add SameSite attribute to token cookies

qld-gov-au / ckanext-csrf-filter

A CKAN extension to add protection against Cross-Site Request Forgery attacks

GNU Affero General Public License v3.0

0 stars 6 forks source link

Add SameSite attribute to token cookies #28

Closed ThrawnCA closed 1 year ago

ThrawnCA commented 2 years ago

For defence in depth, it would be best to configure the SameSite attribute on token cookies, so that they're harder to misuse across sites. SameSite=Strict should work.

JVickery-TBS commented 1 year ago

Pull request to solve this issue is in now. Allows config option to set this value, but still defaults to 'None' as it did before.

JVickery-TBS commented 1 year ago

https://github.com/qld-gov-au/ckanext-csrf-filter/pull/36

ThrawnCA commented 1 year ago

Implemented in 1.2.0