Title: fix(server): default session and CSRF cookies to Secure by JosunLP · Pull Request #189 · bQuery/bQuery · GitHub
Open Graph Title: fix(server): default session and CSRF cookies to Secure by JosunLP · Pull Request #189 · bQuery/bQuery
X Title: fix(server): default session and CSRF cookies to Secure by JosunLP · Pull Request #189 · bQuery/bQuery
Description: Summary Fixes #169 (Medium; direct credential-theft impact). The session-id cookie (the sole bearer credential) and the CSRF secret cookie (embeds the raw secret in signed mode) both defaulted to no Secure flag. On any plaintext-HTTP hop — an HTTP→HTTPS redirect, a misconfigured proxy — a network MITM could read them and hijack the session or forge matching CSRF tokens. sameSite: 'lax' does not compensate. Fix Both middlewares now default secure: true with an explicit opt-out for local HTTP dev: secure: options.cookie?.secure ?? true Placed after the ...options.cookie spread so a user's explicit secure: false still wins. Session (session.ts, including the destroy/expire path via shared baseCookie) and CSRF (csrf.ts) are covered. Doc comments updated. Verification Strengthened the existing "secure-by-default" session test (it never actually asserted Secure) + new opt-out test. New CSRF tests: Secure present by default, absent when secure: false. bun test server suites: all pass. tsc --noEmit clean. 🤖 Generated with Claude Code
Open Graph Description: Summary Fixes #169 (Medium; direct credential-theft impact). The session-id cookie (the sole bearer credential) and the CSRF secret cookie (embeds the raw secret in signed mode) both defaulted to n...
X Description: Summary Fixes #169 (Medium; direct credential-theft impact). The session-id cookie (the sole bearer credential) and the CSRF secret cookie (embeds the raw secret in signed mode) both defaulted to n...
Opengraph URL: https://github.com/bQuery/bQuery/pull/189
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:4c009471-b969-64f5-ea1c-99847b2a1c8e |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | 94B8:8E478:70BC6D:A4DB11:6A4E11C9 |
| html-safe-nonce | 7d384970244eb358c2105b88da4ead1064695c814e3b0313789487ccaca5fdcd |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5NEI4OjhFNDc4OjcwQkM2RDpBNERCMTE6NkE0RTExQzkiLCJ2aXNpdG9yX2lkIjoiNTg5OTY5ODQ2MjYxODY4NTg5NyIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 1484d02371fd2f42ad6e15433cdc8fe53af4bf443be6ae2ae32d7aaafe9c38da |
| hovercard-subject-tag | pull_request:4001024560 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/bQuery/bQuery/pull/189/files |
| twitter:image | https://avatars.githubusercontent.com/u/20913954?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/20913954?s=400&v=4 |
| og:image:alt | Summary Fixes #169 (Medium; direct credential-theft impact). The session-id cookie (the sole bearer credential) and the CSRF secret cookie (embeds the raw secret in signed mode) both defaulted to n... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | df0492960db29b4938cb72070351d6b1d0c6c0767b27ceb8394bbf4fcc0223c6 |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/bQuery/bQuery git https://github.com/bQuery/bQuery.git |
| octolytics-dimension-user_id | 256381806 |
| octolytics-dimension-user_login | bQuery |
| octolytics-dimension-repository_id | 1139284244 |
| octolytics-dimension-repository_nwo | bQuery/bQuery |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 1139284244 |
| octolytics-dimension-repository_network_root_nwo | bQuery/bQuery |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 51470c353b8a1f52a88d3e3cc2014b17ab8cc1ce |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width