Set cookies to have the Secure flag default to true (#739)

* Set Cookies to use the Secure Flag and default SameSite to None * Add secure flag test * Updated changelog and documentation for secure flag option
2025-06-30 14:58:31 -04:00 · 2025-06-30 14:58:31 -04:00 · 292c470ada
commit 292c470ada
parent 12453fdc00
6 changed files with 32 additions and 12 deletions
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@ -262,6 +262,7 @@ func TestCookieSettings(t *testing.T) {

 		CookieDomain:      "127.0.0.1",
 		CookiePartitioned: true,
+		CookieSecure:      true,
 		CookieExpiration:  anubis.CookieDefaultExpirationTime,
 	})

@ -309,6 +310,10 @@ func TestCookieSettings(t *testing.T) {
 	if ckie.Partitioned != srv.opts.CookiePartitioned {
 		t.Errorf("wanted partitioned flag %v, got: %v", srv.opts.CookiePartitioned, ckie.Partitioned)
 	}
+
+	if ckie.Secure != srv.opts.CookieSecure {
+		t.Errorf("wanted secure flag %v, got: %v", srv.opts.CookieSecure, ckie.Secure)
+	}
 }

 func TestCheckDefaultDifficultyMatchesPolicy(t *testing.T) {
--- a/lib/config.go
+++ b/lib/config.go
@ -44,6 +44,7 @@ type Options struct {
 	StripBasePrefix     bool
 	OpenGraph           config.OpenGraph
 	ServeRobotsTXT      bool
+	CookieSecure        bool
 }

 func LoadPoliciesOrDefault(ctx context.Context, fname string, defaultDifficulty int) (*policy.ParsedConfig, error) {
--- a/lib/http.go
+++ b/lib/http.go
@ -23,10 +23,11 @@ import (
 var domainMatchRegexp = regexp.MustCompile(`^((xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$`)

 type CookieOpts struct {
-	Value string
-	Host  string
-	Path  string
-	Name  string
+	Value  string
+	Host   string
+	Path   string
+	Name   string
+	Expiry time.Duration
 }

 func (s *Server) SetCookie(w http.ResponseWriter, cookieOpts CookieOpts) {
@ -45,12 +46,17 @@ func (s *Server) SetCookie(w http.ResponseWriter, cookieOpts CookieOpts) {
 		}
 	}

+	if cookieOpts.Expiry == 0 {
+		cookieOpts.Expiry = s.opts.CookieExpiration
+	}
+
 	http.SetCookie(w, &http.Cookie{
 		Name:        name,
 		Value:       cookieOpts.Value,
-		Expires:     time.Now().Add(s.opts.CookieExpiration),
-		SameSite:    http.SameSiteLaxMode,
+		Expires:     time.Now().Add(cookieOpts.Expiry),
+		SameSite:    http.SameSiteNoneMode,
 		Domain:      domain,
+		Secure:      s.opts.CookieSecure,
 		Partitioned: s.opts.CookiePartitioned,
 		Path:        path,
 	})
@ -77,9 +83,10 @@ func (s *Server) ClearCookie(w http.ResponseWriter, cookieOpts CookieOpts) {
 		Value:       "",
 		MaxAge:      -1,
 		Expires:     time.Now().Add(-1 * time.Minute),
-		SameSite:    http.SameSiteLaxMode,
+		SameSite:    http.SameSiteNoneMode,
 		Partitioned: s.opts.CookiePartitioned,
 		Domain:      domain,
+		Secure:      s.opts.CookieSecure,
 		Path:        path,
 	})
 }
@ -132,11 +139,12 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *polic
 		}
 	}

-	http.SetCookie(w, &http.Cookie{
-		Name:    anubis.TestCookieName,
-		Value:   challengeStr,
-		Expires: time.Now().Add(30 * time.Minute),
-		Path:    "/",
+	s.SetCookie(w, CookieOpts{
+		Value:  challengeStr,
+		Host:   r.Host,
+		Path:   "/",
+		Name:   anubis.TestCookieName,
+		Expiry: 30 * time.Minute,
 	})

 	impl, ok := challenge.Get(rule.Challenge.Algorithm)