Fix cookie SameSite not being set

2023-01-26 09:34:26 +01:00
parent 43a0aefea3
commit 0827fb2c24
2 changed files with 8 additions and 1 deletions
--- a/main.py
+++ b/main.py
@@ -14,6 +14,11 @@ import captcha, password, minimd
 app = Flask(__name__)
 db = DB(os.getenv('DB'))

+# This defaults to None, which allows CSRF attacks in FireFox
+# and older versions of Chrome.
+# 'Lax' is sufficient to prevent malicious POST requests.
+app.config['SESSION_COOKIE_SAMESITE'] = 'Lax'
+
 class Config:
    pass
 config = Config()