Harden for public deployment behind a reverse proxy
The session cookie now sets the Secure attribute (server.secure_cookies, default true). Adds chi RealIP and Recoverer middleware plus a securityHeaders middleware that emits a Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy on every response. HSTS is intentionally left to the TLS-terminating proxy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
prosolis
@@ -38,7 +38,7 @@ type Manager struct {
|
||||
hmacKey []byte
|
||||
}
|
||||
|
||||
func NewManager(sqlDB *sql.DB, store *db.Store, sessionSecret string) (*Manager, error) {
|
||||
func NewManager(sqlDB *sql.DB, store *db.Store, sessionSecret string, secureCookies bool) (*Manager, error) {
|
||||
if len(sessionSecret) < 32 {
|
||||
return nil, errors.New("session secret too short")
|
||||
}
|
||||
@@ -51,7 +51,10 @@ func NewManager(sqlDB *sql.DB, store *db.Store, sessionSecret string) (*Manager,
|
||||
sm.Cookie.Path = "/"
|
||||
sm.Cookie.SameSite = http.SameSiteLaxMode
|
||||
sm.Cookie.Persist = true
|
||||
// Cookie.Secure left false for self-hosted HTTP deployments; flip via env in deploy.
|
||||
// Secure must be set whenever the browser-facing connection is HTTPS,
|
||||
// which includes running behind a TLS-terminating proxy. Resolved from
|
||||
// config; defaults to true there.
|
||||
sm.Cookie.Secure = secureCookies
|
||||
|
||||
mac := sha256.New()
|
||||
mac.Write([]byte(sessionSecret))
|
||||
|
||||
Reference in New Issue
Block a user