Make cookies HttpOnly and obey COOKIE_SECURE flag (#4706)

author: SagePtr <sageptr@gmail.com> 2018-08-14 22:16:37 +0200
committer: Lauris BH <lauris@nix.lv> 2018-08-14 23:16:37 +0300
commit: 0449330dbce812e67f3309c11e265eb6a5bc0c7e (patch)
tree: 92669658438500567ad0c5805708807d9a5d79aa /routers/routes
parent: ca112f0a04ea7f4fdb8e6dc1e83e293a598abc50 (diff)
download: gitea-0449330dbce812e67f3309c11e265eb6a5bc0c7e.tar.gz
gitea-0449330dbce812e67f3309c11e265eb6a5bc0c7e.zip
1 files changed, 7 insertions, 6 deletions
diff --git a/routers/routes/routes.go b/routers/routes/routes.go
index e2448a7446..e5476fd227 100644
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@@ -116,12 +116,13 @@ func NewMacaron() *macaron.Macaron {
 	}))
 	m.Use(session.Sessioner(setting.SessionConfig))
 	m.Use(csrf.Csrfer(csrf.Options{
-		Secret:     setting.SecretKey,
-		Cookie:     setting.CSRFCookieName,
-		SetCookie:  true,
-		Secure:     setting.SessionConfig.Secure,
-		Header:     "X-Csrf-Token",
-		CookiePath: setting.AppSubURL,
+		Secret:         setting.SecretKey,
+		Cookie:         setting.CSRFCookieName,
+		SetCookie:      true,
+		Secure:         setting.SessionConfig.Secure,
+		CookieHttpOnly: true,
+		Header:         "X-Csrf-Token",
+		CookiePath:     setting.AppSubURL,
 	}))
 	m.Use(toolbox.Toolboxer(m, toolbox.Options{
 		HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{
author	SagePtr <sageptr@gmail.com>	2018-08-14 22:16:37 +0200
committer	Lauris BH <lauris@nix.lv>	2018-08-14 23:16:37 +0300
commit	0449330dbce812e67f3309c11e265eb6a5bc0c7e (patch)
tree	92669658438500567ad0c5805708807d9a5d79aa /routers/routes
parent	ca112f0a04ea7f4fdb8e6dc1e83e293a598abc50 (diff)
download	gitea-0449330dbce812e67f3309c11e265eb6a5bc0c7e.tar.gz gitea-0449330dbce812e67f3309c11e265eb6a5bc0c7e.zip