dunkirk.sh / thistle
๐Ÿชป distributed transcription service thistle.dunkirk.sh
fork atom

fix: change session cookies to SameSite=Strict #9

closed
opened by dunkirk.sh edited

Medium Priority#

Location: src/index.ts:426, 465, 527, 897

Issue#

SameSite=Lax instead of Strict

Impact#

Vulnerable to certain CSRF attacks via top-level navigation

Fix Time#

~5 minutes

Recommendation#

Use SameSite=Strict unless you need cross-site GET requests

From LAUNCH_REVIEW.md Issue #19

sign up or login to add to the discussion
Labels

None yet.

priority
medium
assignee
dunkirk.sh
Participants 1
AT URI
at://did:plc:krxbvxvis5skq7jj6eot23ul/sh.tangled.repo.issue/3m6d4doz2ev2u