Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can we make the session cookie SameSite=Strict (currently defaulting to SameSite=Lax)? #532

Open
eoinkelly opened this issue Feb 15, 2024 · 1 comment
Open

Can we make the session cookie SameSite=Strict (currently defaulting to SameSite=Lax)? #532

eoinkelly opened this issue Feb 15, 2024 · 1 comment
Labels
ready for dev

Comments

@eoinkelly
Copy link
Contributor

I might be missing something but I have not yet found a reason why we cannot set SameSite=Strict on the Rails session cookie. This is a very minor security win but will likely tick some lower priority boxes in pen tests.

The change would be something along the lines of:

# config/application.rb

  # Specify cookies SameSite protection level: either :none, :lax, or :strict.
  config.action_dispatch.cookies_same_site_protection = :strict # defaults to :lax

Background
@lukeify
Copy link

lukeify commented Mar 7, 2024

:strict makes sense as a default (as discussed at Ruby Guild on 8th March)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ready for dev
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eoinkelly @lukeify