Improve security: use stricter session cookies and add CSRF protection

This commit is contained in:
Danielle McLean 2017-10-02 20:17:49 +11:00
parent 27b465180a
commit ade7552587
Signed by: 00dani
GPG key ID: 3844A6973C6058F1

View file

@ -73,7 +73,7 @@ instance Yesod App where
-- Store session data on the client in encrypted cookies,
-- default session idle timeout is 120 minutes
makeSessionBackend _ = Just <$> defaultClientSessionBackend
makeSessionBackend _ = sslOnlySessions . strictSameSiteSessions $ Just <$> defaultClientSessionBackend
120 -- timeout in minutes
"config/client_session_key.aes"
@ -84,7 +84,7 @@ instance Yesod App where
-- b) Validates that incoming write requests include that token in either a header or POST parameter.
-- To add it, chain it together with the defaultMiddleware: yesodMiddleware = defaultYesodMiddleware . defaultCsrfMiddleware
-- For details, see the CSRF documentation in the Yesod.Core.Handler module of the yesod-core package.
yesodMiddleware = defaultYesodMiddleware
yesodMiddleware = defaultYesodMiddleware . defaultCsrfMiddleware
defaultLayout widget = do
master <- getYesod