zoriya/flood
1
0
Fork 0
mirror of https://github.com/zoriya/flood.git synced 2026-06-08 04:41:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

server: auth: strictly prohibit cross-site cookie

Browse Source 
Flood instances are not going to be linked from another site.

This prevents Cross-Site Request Forgery attacks which exploits
cached authentication token in cookie.
This commit is contained in:
Jesse Chan
2020-08-27 19:40:43 +08:00
parent a79656ec2d
commit 2984d58e2d
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/routes/auth.js
+1 -1
View File
@@ -22,7 +22,7 @@ const setAuthToken = (res, username, isAdmin) => {
expiresIn: expirationSeconds,
});
res.cookie('jwt', token, {expires: new Date(cookieExpiration), httpOnly: true});
res.cookie('jwt', token, {expires: new Date(cookieExpiration), httpOnly: true, sameSite: 'Strict'});
return res.json({
success: true,