aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorlambda <pleromagit@rogerbraun.net>2018-11-13 13:23:04 +0000
committerlambda <pleromagit@rogerbraun.net>2018-11-13 13:23:04 +0000
commit22d20c497b813cdaedddb40a46df2f597311b235 (patch)
treeaa2f091f7e1d9d7faa429b462d0396f502efd5ea
parentc3f562a611c71fb07d4afa6ad6054eda4583f36f (diff)
parent87c76a9a2fa95702df05e935c8eb232188df1318 (diff)
downloadpleroma-22d20c497b813cdaedddb40a46df2f597311b235.tar.gz
Merge branch 'security/cookie-hardening' into 'develop'
Add __Host- prefix when secure flag is enabled See merge request pleroma/pleroma!446
Diffstat
-rw-r--r--lib/pleroma/web/endpoint.ex7
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex
index 7783b8e5c..85bb4ff5f 100644
--- a/lib/pleroma/web/endpoint.ex
+++ b/lib/pleroma/web/endpoint.ex
@@ -46,13 +46,18 @@ defmodule Pleroma.Web.Endpoint do
plug(Plug.MethodOverride)
plug(Plug.Head)
+ cookie_name =
+ if Application.get_env(:pleroma, Pleroma.Web.Endpoint) |> Keyword.get(:secure_cookie_flag),
+ do: "__Host-pleroma_key",
+ else: "pleroma_key"
+
# The session will be stored in the cookie and signed,
# this means its contents can be read but not tampered with.
# Set :encryption_salt if you would also like to encrypt it.
plug(
Plug.Session,
store: :cookie,
- key: "_pleroma_key",
+ key: cookie_name,
signing_salt: "CqaoopA2",
http_only: true,
secure:
generated by cgit v1.2.3 (git 2.26.2) at 2025-04-25 07:08:17 +0000