fix: Secure cookies

These should eventually move to options in the auth config
philipcristiano · Oct 2, 2024 · ca58071 · ca58071
1 parent e7dd7ca
commit ca58071
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/src/oidc.rs b/src/oidc.rs
@@ -336,6 +336,9 @@ async fn login_auth(
     let max_age_duration = tower_cookies::cookie::time::Duration::new(max_age.num_seconds(), 0);
     user_cookie.set_path("/");
     user_cookie.set_max_age(Some(max_age_duration));
+    user_cookie.set_same_site(Some(tower_cookies::cookie::SameSite::Strict));
+    user_cookie.set_secure(Some(true));
+    user_cookie.set_http_only(Some(true));
     private_cookies.add(user_cookie);
 
     Ok(Redirect::to(&config.post_auth_path).into_response())