Merge branch 'security/cookie-hardening' into 'develop'
Add __Host- prefix when secure flag is enabled See merge request pleroma/pleroma!446
This commit is contained in:
commit
22d20c497b
|
@ -46,13 +46,18 @@ defmodule Pleroma.Web.Endpoint do
|
||||||
plug(Plug.MethodOverride)
|
plug(Plug.MethodOverride)
|
||||||
plug(Plug.Head)
|
plug(Plug.Head)
|
||||||
|
|
||||||
|
cookie_name =
|
||||||
|
if Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag),
|
||||||
|
do: "__Host-pleroma_key",
|
||||||
|
else: "pleroma_key"
|
||||||
|
|
||||||
# The session will be stored in the cookie and signed,
|
# The session will be stored in the cookie and signed,
|
||||||
# this means its contents can be read but not tampered with.
|
# this means its contents can be read but not tampered with.
|
||||||
# Set :encryption_salt if you would also like to encrypt it.
|
# Set :encryption_salt if you would also like to encrypt it.
|
||||||
plug(
|
plug(
|
||||||
Plug.Session,
|
Plug.Session,
|
||||||
store: :cookie,
|
store: :cookie,
|
||||||
key: "_pleroma_key",
|
key: cookie_name,
|
||||||
signing_salt: "CqaoopA2",
|
signing_salt: "CqaoopA2",
|
||||||
http_only: true,
|
http_only: true,
|
||||||
secure:
|
secure:
|
||||||
|
|
Loading…
Reference in New Issue