From 1ef0ea3f7f66a0e8cb378a1b9940523e0f858600 Mon Sep 17 00:00:00 2001 From: thevickypedia Date: Fri, 23 Feb 2024 11:18:02 -0600 Subject: [PATCH] Set `samesite` to `strict` for cookies --- pystream/main.py | 2 +- pystream/routers/auth.py | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/pystream/main.py b/pystream/main.py index b5b836e..64e36db 100644 --- a/pystream/main.py +++ b/pystream/main.py @@ -37,7 +37,7 @@ async def redirect_exception_handler(request: Request, else: response = RedirectResponse(url=exception.location) if exception.detail: - response.set_cookie("detail", exception.detail.upper()) + response.set_cookie("detail", exception.detail.upper(), httponly=True, samesite="strict") return response diff --git a/pystream/routers/auth.py b/pystream/routers/auth.py index f560b6f..6964a75 100644 --- a/pystream/routers/auth.py +++ b/pystream/routers/auth.py @@ -71,7 +71,8 @@ async def login(request: Request) -> JSONResponse: value=config.static.cipher_suite.encrypt(str(auth_payload).encode("utf-8")).decode(), max_age=config.env.session_duration, expires=expiration, - httponly=True) + httponly=True, + samesite="strict") if config.env.secure_session: cookie_kwargs["secure"] = True response.set_cookie(**cookie_kwargs)