From f848aaa81f04666dae29e0bb85ccf31d30574de7 Mon Sep 17 00:00:00 2001
From: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Wed, 25 May 2022 18:08:12 +0200
Subject: [PATCH] [security] Set SameSite to `strict` instead of browser
 default (#606)

---
 internal/router/session.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/router/session.go b/internal/router/session.go
index 4c83b5902..a2cbff7d1 100644
--- a/internal/router/session.go
+++ b/internal/router/session.go
@@ -42,7 +42,7 @@ func SessionOptions() sessions.Options {
 		MaxAge:   120,                                              // 2 minutes
 		Secure:   viper.GetString(config.Keys.Protocol) == "https", // only use cookie over https
 		HttpOnly: true,                                             // exclude javascript from inspecting cookie
-		SameSite: http.SameSiteDefaultMode,                         // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
+		SameSite: http.SameSiteStrictMode,                          // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1
 	}
 }