Merge pull request #273 from aleksei-burlakov/http-only

Enable HttpOnly secure flag by default
ClusterLabs · Nov 21, 2023 · 97c130d · 97c130d
2 parents b482c8c + 37b7d69
commit 97c130d
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/hawk/app/lib/hawk/secure_cookies.rb b/hawk/app/lib/hawk/secure_cookies.rb
@@ -17,8 +17,7 @@ def call(env)
           next if cookie.blank?
           next if cookie =~ /;\s*secure/i
 
-          cookie << '; Secure'
-          cookie << '; HttpOnly' if ENV['HAWK_COOKIE_HTTP_ONLY'] == 'true'
+          cookie << '; Secure ; HttpOnly'
         end
 
         headers['Set-Cookie'] = cookies.join(COOKIE_SEPARATOR)