From 48d288374d4dfb86088778f1b42570e5c5037d59 Mon Sep 17 00:00:00 2001 From: Aleksandr Fenin Date: Mon, 22 Sep 2025 14:04:45 +0300 Subject: [PATCH] security/http-only-cookies: fix SameSite cookie settings for localhost cross-site requests --- internal/config/config.go | 11 +++++++++++ internal/http/auth_handlers.go | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/internal/config/config.go b/internal/config/config.go index 8a10894..60828b2 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -2,6 +2,7 @@ package config import ( "fmt" + "net/http" "os" "strconv" "strings" @@ -20,6 +21,7 @@ type Config struct { RateLimit RateLimitConfig CORS CORSConfig SecurityHeaders SecurityHeadersConfig + Cookie CookieConfig } type ServerConfig struct { @@ -78,6 +80,11 @@ type SecurityHeadersConfig struct { XSSProtection string } +type CookieConfig struct { + Secure bool + SameSite http.SameSite +} + func Load() (*Config, error) { config := &Config{ Server: ServerConfig{ @@ -136,6 +143,10 @@ func Load() (*Config, error) { ReferrerPolicy: getEnv("SECURITY_REFERRER_POLICY", "strict-origin-when-cross-origin"), XSSProtection: getEnv("SECURITY_XSS_PROTECTION", "1; mode=block"), }, + Cookie: CookieConfig{ + Secure: false, + SameSite: http.SameSiteNoneMode, + }, } if err := config.Validate(); err != nil { diff --git a/internal/http/auth_handlers.go b/internal/http/auth_handlers.go index c2ab7ee..89e2690 100644 --- a/internal/http/auth_handlers.go +++ b/internal/http/auth_handlers.go @@ -28,7 +28,7 @@ func NewAuthHandlers(authService services.AuthService, logger *logger.Logger, cf } func (h *AuthHandlers) getCookieSettings() (secure bool, sameSite http.SameSite) { - return false, http.SameSiteDefaultMode + return h.config.Cookie.Secure, h.config.Cookie.SameSite } func (h *AuthHandlers) setSecureCookie(w http.ResponseWriter, name, value string, maxAge int) {