Home Explore Help
Sign In
cturan
/
vendure
mirror of https://github.com/vendure-ecommerce/vendure
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix(core): Use more secure default for cookie sameSite option

Relates to https://github.com/vendure-ecommerce/vendure/security/advisories/GHSA-h9wq-xcqx-mqxm.
The default used by the underlying `cookie-session` middleware is `false`, which is the least
secure setting. In modern browsers, this should be interpreted as `lax`, but this cannot be assumed
to be the case in 100% of situations. Therefore, we will now default to `lax` and if the user
needs a less restrictive policy, they can explicitly set it to `none`.
Michael Bromley 2 years ago
parent
fba0739e58
commit
4a10d6785a
1 changed files with 1 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      packages/core/src/config/default-config.ts

+ 1 - 0
packages/core/src/config/default-config.ts
View File 

@@ -86,6 +86,7 @@ export const defaultConfig: RuntimeVendureConfig = {
 
         cookieOptions: {
 
             secret: Math.random().toString(36).substr(3),
 
             httpOnly: true,
 
+            sameSite: 'lax',
 
         },
 
         authTokenHeaderKey: DEFAULT_AUTH_TOKEN_HEADER_KEY,
 
         sessionDuration: '1y',