From 312d9b7a6fc97e14aa5ad9b5d91744d271b0818f Mon Sep 17 00:00:00 2001 From: Valentin Tolmer Date: Wed, 19 May 2021 18:08:26 +0200 Subject: [PATCH] Mark cookies as sameSite=Strict --- app/src/cookies.rs | 2 +- src/infra/tcp_server.rs | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/app/src/cookies.rs b/app/src/cookies.rs index 1cd9e83..4dfd76d 100644 --- a/app/src/cookies.rs +++ b/app/src/cookies.rs @@ -23,7 +23,7 @@ pub fn set_cookie(cookie_name: &str, value: &str, expiration: &DateTime) -> d.dyn_into::() .map_err(|_| anyhow!("Document is not an HTMLDocument")) })?; - doc.set_cookie(&format!("{}={};expires={}", cookie_name, value, expiration)) + doc.set_cookie(&format!("{}={};expires={};sameSite=Strict", cookie_name, value, expiration)) .map_err(|_| anyhow!("Could not set cookie")) } diff --git a/src/infra/tcp_server.rs b/src/infra/tcp_server.rs index 0ae18bd..fed1598 100644 --- a/src/infra/tcp_server.rs +++ b/src/infra/tcp_server.rs @@ -5,7 +5,7 @@ use actix_http::HttpServiceBuilder; use actix_server::ServerBuilder; use actix_service::{map_config, Service}; use actix_web::{ - cookie::Cookie, + cookie::{Cookie, SameSite}, dev::{AppConfig, ServiceRequest}, error::{ErrorBadRequest, ErrorUnauthorized}, web, App, HttpRequest, HttpResponse, @@ -97,6 +97,7 @@ where .max_age(1.days()) .path("/api") .http_only(true) + .same_site(SameSite::Strict) .finish(), ) .body(token.as_str().to_owned()),