torsten/harheimertc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update cookie SameSite configuration and secure options for improved security compliance
Some checks failed
Code Analysis (JS/Vue) / analyze (push) Failing after 42s
Details

Browse Source 
This commit enhances the cookie handling logic by providing detailed comments on the SameSite attribute options and their implications for security. It sets the default SameSite value to 'none' to allow iframe embedding while ensuring that Secure is true when SameSite is 'none'. Additionally, it adds a warning for cases where SameSite is 'none' but Secure is false, improving the overall security posture of cookie management.
This commit is contained in:
Torsten Schulz (local)
2026-01-11 21:10:00 +01:00
parent 12ae192b37
commit 6d6a14ac48
1 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
server/utils/cookies.js
View File

@@ -11,17 +11,33 @@ export function getCookieSecureDefault() {
}
export function getSameSiteDefault() {
// Erwartung aus Security-Feedback: Strict. In Dev ggf. Lax, damit SSO/Flows nicht nerven.
// Cookie SameSite-Konfiguration
// - 'none': Erlaubt Cookies in Cross-Site-iframes (erfordert Secure: true)
// - 'lax': Erlaubt Cookies bei Navigation (Standard für Cross-Site)
// - 'strict': Blockiert alle Cross-Site-Cookies (sicherste Option, blockiert iframes)
const v = (process.env.COOKIE_SAMESITE || '').toLowerCase().trim()
if (v === 'strict' || v === 'lax' || v === 'none') return v
return isProduction() ? 'strict' : 'lax'
// Default: 'none' für Cross-Site-iframes (wenn in iframe eingebettet)
// WICHTIG: SameSite: none erfordert Secure: true (HTTPS)
// Falls iframe-Einbettung nicht benötigt wird, kann auf 'strict' oder 'lax' geändert werden
return 'none' // Ermöglicht Einbettung in iframes (z.B. von harheimertc.de)
}
export function getAuthCookieOptions() {
const sameSite = getSameSiteDefault()
const secure = getCookieSecureDefault()
// SameSite: none erfordert Secure: true
// Wenn SameSite: none gesetzt ist, aber Secure: false, warnen
if (sameSite === 'none' && !secure) {
console.warn('⚠️ SameSite: none erfordert Secure: true. Cookie könnte in iframes nicht funktionieren.')
}
return {
httpOnly: true,
secure: getCookieSecureDefault(),
sameSite: getSameSiteDefault(),
secure: secure,
sameSite: sameSite,
maxAge: 60 * 60 * 24 * 7 // 7 days
}
}