From 5f605b3a9167c612184839cdde3a6c7606be2026 Mon Sep 17 00:00:00 2001
From: Panagiotis Papadopoulos <pano_90@gmx.net>
Date: Thu, 16 Jan 2025 21:35:50 +0100
Subject: [PATCH] fix(csrf): set more secure cookieOptions settings

- `sameSite` - previous setting inherited from csurf was to simply not set it at all, which makes all browser nag in their dev console output.
They will default to "Lax" for these type of cookies in the future.
We can even use "strict" here though for our use case:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value

- `httpOnly`: should be enabled for the csrf cookie as well
for the session cookie it already is enabled.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#httponly
---
 src/routes/csrf_protection.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/routes/csrf_protection.ts b/src/routes/csrf_protection.ts
index aadd02100..0c7968af8 100644
--- a/src/routes/csrf_protection.ts
+++ b/src/routes/csrf_protection.ts
@@ -6,8 +6,8 @@ const doubleCsrfUtilities = doubleCsrf({
     cookieOptions: {
         path: "", // empty, so cookie is valid only for the current path
         secure: false,
-        sameSite: false,
-        httpOnly: false
+        sameSite: "strict",
+        httpOnly: true
     },
     cookieName: "_csrf"
 });