Skip to content

security: set httpOnly, secure, and sameSite on the session cookie#524

Open
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/cookie-session-flags
Open

security: set httpOnly, secure, and sameSite on the session cookie#524
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/cookie-session-flags

Conversation

@xpoes123

@xpoes123 xpoes123 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Hardens the cookie-session configuration, which previously set none of the standard cookie security flags.

Problem

In app.js, the session cookie declared only name, keys, and maxAge:

  • no httpOnly — readable by client-side JavaScript (session theft via XSS)
  • no secure — can be transmitted over plain HTTP (MITM interception)
  • no sameSite — sent on cross-site requests (CSRF)

Changes

  • Adds httpOnly: true and sameSite: 'lax'.
  • Adds secure: process.env.NODE_ENV === 'production', so cookies are HTTPS-only in production (the app already calls app.enable('trust proxy'), so this works behind the platform proxy) while local HTTP development keeps working.

Risk & testing

Configuration-only change, no application logic altered. secure is gated to production so local dev over HTTP is unaffected. semistandard and node --check pass.

@xpoes123 xpoes123 changed the title security: harden session cookie flags security: set httpOnly, secure, and sameSite on the session cookie Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant