security: set authtkt cookie samesite Strict and httponly

Also set session cookie samesite
wainuiomata · Mar 8, 2024 · 08ac707 · 08ac707
1 parent e514526
commit 08ac707
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/src/sambal/security.py b/src/sambal/security.py
@@ -16,6 +16,8 @@ def __init__(self, secret):
         self.authtkt = AuthTktCookieHelper(
             secret=secret,
             secure=SETTINGS["sambal.https"],
+            samesite="Strict",
+            http_only=True,
         )
 
     def identity(self, request) -> Optional[User]:

diff --git a/src/sambal/settings.py b/src/sambal/settings.py
@@ -14,6 +14,7 @@
     "redis.sessions.secret": os.getenv("SAMBAL_SESSION_SECRET"),
     "redis.sessions.serialize": lambda s: json.dumps(s).encode("utf-8"),
     "redis.sessions.deserialize": lambda s: json.loads(s.decode("utf-8")),
+    "redis.sessions.cookie_samesite": "Strict",
     "redis.sessions.cookie_httponly": True,
 }