Skip to content

security/http-only-cookies: fix SameSite cookie settings for localhos… #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
SatanLittleHelper merged 2 commits into from
Sep 22, 2025
Merged

security/http-only-cookies: fix SameSite cookie settings for localhos… #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
48d2883
security/http-only-cookies: fix SameSite cookie settings for localhos…
SatanLittleHelper Sep 22, 2025
d9fc5b5
Merge branch 'main' into security/http-only-cookies
SatanLittleHelper Sep 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions internal/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package config

import (
"fmt"
"net/http"
"os"
"strconv"
"strings"
Expand All @@ -20,6 +21,7 @@ type Config struct {
RateLimit RateLimitConfig
CORS CORSConfig
SecurityHeaders SecurityHeadersConfig
Cookie CookieConfig
}

type ServerConfig struct {
Expand Down Expand Up @@ -78,6 +80,11 @@ type SecurityHeadersConfig struct {
XSSProtection string
}

type CookieConfig struct {
Secure bool
SameSite http.SameSite
}

func Load() (*Config, error) {
config := &Config{
Server: ServerConfig{
Expand Down Expand Up @@ -136,6 +143,10 @@ func Load() (*Config, error) {
ReferrerPolicy: getEnv("SECURITY_REFERRER_POLICY", "strict-origin-when-cross-origin"),
XSSProtection: getEnv("SECURITY_XSS_PROTECTION", "1; mode=block"),
},
Cookie: CookieConfig{
Secure: false,
SameSite: http.SameSiteNoneMode,
},
}

if err := config.Validate(); err != nil {
Expand Down
2 changes: 1 addition & 1 deletion internal/http/auth_handlers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ func NewAuthHandlers(authService services.AuthService, logger *logger.Logger, cf
}

func (h *AuthHandlers) getCookieSettings() (secure bool, sameSite http.SameSite) {
return false, http.SameSiteDefaultMode
return h.config.Cookie.Secure, h.config.Cookie.SameSite
}

func (h *AuthHandlers) setSecureCookie(w http.ResponseWriter, name, value string, maxAge int) {
Expand Down