Improve security: use stricter session cookies and add CSRF protection

2017-10-02 20:17:49 +11:00 · 2017-10-02 20:17:49 +11:00 · ade7552587
commit ade7552587
parent 27b465180a
1 changed files with 2 additions and 2 deletions
--- a/src/Foundation.hs
+++ b/src/Foundation.hs
@ -73,7 +73,7 @@ instance Yesod App where

    -- Store session data on the client in encrypted cookies,
    -- default session idle timeout is 120 minutes
-    makeSessionBackend _ = Just <$> defaultClientSessionBackend
+    makeSessionBackend _ = sslOnlySessions . strictSameSiteSessions $ Just <$> defaultClientSessionBackend
        120    -- timeout in minutes
        "config/client_session_key.aes"

@ -84,7 +84,7 @@ instance Yesod App where
    --   b) Validates that incoming write requests include that token in either a header or POST parameter.
    -- To add it, chain it together with the defaultMiddleware: yesodMiddleware = defaultYesodMiddleware . defaultCsrfMiddleware
    -- For details, see the CSRF documentation in the Yesod.Core.Handler module of the yesod-core package.
-    yesodMiddleware = defaultYesodMiddleware
+    yesodMiddleware = defaultYesodMiddleware . defaultCsrfMiddleware

    defaultLayout widget = do
        master <- getYesod