csrf: set cookie HttpOnly and Secure (#6013)

author: ᴜɴᴋɴᴡᴏɴ <u@gogs.io> 2020-03-27 00:08:46 +0800
committer: GitHub <noreply@github.com> 2020-03-27 00:08:46 +0800
commit: 14cd16f1f81da03bed0483eab7214873041eb95c (patch)
tree: 72f5bff2700ddad602283cc49c50b0c7030d4d3a
parent: 5800d78b99993479839cf01729275cd040b3565c (diff)
1 files changed, 8 insertions, 7 deletions
diff --git a/internal/cmd/web.go b/internal/cmd/web.go
index 3ef925f4..04067427 100644
--- a/internal/cmd/web.go
+++ b/internal/cmd/web.go
@@ -153,11 +153,14 @@ func newMacaron() *macaron.Macaron {
 		Secure:         conf.Session.CookieSecure,
 	}))
 	m.Use(csrf.Csrfer(csrf.Options{
-		Secret:     conf.Security.SecretKey,
-		Cookie:     conf.Session.CSRFCookieName,
-		SetCookie:  true,
-		Header:     "X-Csrf-Token",
-		CookiePath: conf.Server.Subpath,
+		Secret:         conf.Security.SecretKey,
+		Header:         "X-Csrf-Token",
+		Cookie:         conf.Session.CSRFCookieName,
+		CookieDomain:   conf.Server.URL.Hostname(),
+		CookiePath:     conf.Server.Subpath,
+		CookieHttpOnly: true,
+		SetCookie:      true,
+		Secure:         conf.Server.URL.Scheme == "https",
 	}))
 	m.Use(toolbox.Toolboxer(m, toolbox.Options{
 		HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{
@@ -412,9 +415,7 @@ func runWeb(c *cli.Context) error {
 					Post(bindIgnErr(form.UpdateOrgSetting{}), org.SettingsPost)
 				m.Post("/avatar", binding.MultipartForm(form.Avatar{}), org.SettingsAvatar)
 				m.Post("/avatar/delete", org.SettingsDeleteAvatar)
-
 				m.Group("/hooks", webhookRoutes)
-
 				m.Route("/delete", "GET,POST", org.SettingsDelete)
 			})
author	ᴜɴᴋɴᴡᴏɴ <u@gogs.io>	2020-03-27 00:08:46 +0800
committer	GitHub <noreply@github.com>	2020-03-27 00:08:46 +0800
commit	14cd16f1f81da03bed0483eab7214873041eb95c (patch)
tree	72f5bff2700ddad602283cc49c50b0c7030d4d3a
parent	5800d78b99993479839cf01729275cd040b3565c (diff)