Closed ThrawnCA closed 1 year ago
For defence in depth, it would be best to configure the SameSite attribute on token cookies, so that they're harder to misuse across sites. SameSite=Strict should work.
SameSite=Strict
Pull request to solve this issue is in now. Allows config option to set this value, but still defaults to 'None' as it did before.
https://github.com/qld-gov-au/ckanext-csrf-filter/pull/36
Implemented in 1.2.0
For defence in depth, it would be best to configure the SameSite attribute on token cookies, so that they're harder to misuse across sites.
SameSite=Strict
should work.