Add __Host- prefix, set X-XSS-Protection to 0, require go1.11

2020-06-25 08:21:16 +02:00 · 2020-06-25 08:21:16 +02:00 · ca4db66308
commit ca4db66308
parent d844f6ee1a
6 changed files with 53 additions and 24 deletions
--- a/pkg/cookie/cookie.go
+++ b/pkg/cookie/cookie.go
@ -0,0 +1,35 @@
+package cookie
+
+import "net/http"
+
+const HostPrefix = "__Host-"
+
+func Harden(r *http.Request, cookie *http.Cookie) *http.Cookie {
+	cookie.HttpOnly = true
+	cookie.Secure = r.TLS != nil
+
+	if cookie.Path == "" {
+		cookie.Path = "/"
+	}
+
+	if cookie.Path == "/" && cookie.Secure {
+		cookie.Name = HostPrefix + cookie.Name
+	}
+
+	if cookie.SameSite == 0 {
+		cookie.SameSite = http.SameSiteLaxMode
+	}
+
+	return cookie
+}
+
+func Set(w http.ResponseWriter, r *http.Request, cookie *http.Cookie) {
+	http.SetCookie(w, Harden(r, cookie))
+}
+
+func Name(r *http.Request, name string) string {
+	if r.TLS != nil {
+		return HostPrefix + name
+	}
+	return name
+}
--- a/pkg/session/session.go
+++ b/pkg/session/session.go
@ -6,6 +6,8 @@ import (
 	"net/http"
 	"sync"
 	"time"
+
+	"github.com/khlieng/dispatch/pkg/cookie"
 )

 var (
@ -48,18 +50,11 @@ func (s *Session) SetCookie(w http.ResponseWriter, r *http.Request) {
 	created := time.Unix(s.createdAt, 0)
 	s.lock.Unlock()

-	cookie := &http.Cookie{
-		Name:     CookieName,
-		Value:    s.Key(),
-		Path:     "/",
-		Expires:  created.Add(Expiration),
-		HttpOnly: true,
-		Secure:   r.TLS != nil,
-	}
-
-	if v := cookie.String(); v != "" {
-		w.Header().Add("Set-Cookie", v+"; SameSite=Lax")
-	}
+	cookie.Set(w, r, &http.Cookie{
+		Name:    CookieName,
+		Value:   s.Key(),
+		Expires: created.Add(Expiration),
+	})
 }

 func (s *Session) Expired() bool {