From 37b7d69fb26a604afbeccc338d4b197c866629c4 Mon Sep 17 00:00:00 2001
From: Aleksei Burlakov <aburlakov@suse.com>
Date: Tue, 21 Nov 2023 05:30:36 -0500
Subject: [PATCH] Enable HttpOnly secure flag by default

The HttpOnly secure flag was set as default in 8db131080e,
but then I changed my mind and made it parametrisable in 0008fdf613f7.
However, after discussing with Johannes Segitz <jsegitz@suse.com>
we decided to revert the 0008fdf613f7 and use the HttpOnly by default.
---
 hawk/app/lib/hawk/secure_cookies.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/hawk/app/lib/hawk/secure_cookies.rb b/hawk/app/lib/hawk/secure_cookies.rb
index 3a507392f..41686eee1 100644
--- a/hawk/app/lib/hawk/secure_cookies.rb
+++ b/hawk/app/lib/hawk/secure_cookies.rb
@@ -17,8 +17,7 @@ def call(env)
           next if cookie.blank?
           next if cookie =~ /;\s*secure/i
 
-          cookie << '; Secure'
-          cookie << '; HttpOnly' if ENV['HAWK_COOKIE_HTTP_ONLY'] == 'true'
+          cookie << '; Secure ; HttpOnly'
         end
 
         headers['Set-Cookie'] = cookies.join(COOKIE_SEPARATOR)