USEFULL
/
gogs
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

csrf: set cookie HttpOnly and Secure (#6013)

pull/6014/head
ᴜɴᴋɴᴡᴏɴ 2020-03-27 00:08:46 +08:00 committed by GitHub
parent 5800d78b99
commit 14cd16f1f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
internal/cmd/web.go
View File

@ -153,11 +153,14 @@ func newMacaron() *macaron.Macaron {
Secure: conf.Session.CookieSecure,
}))
m.Use(csrf.Csrfer(csrf.Options{
Secret: conf.Security.SecretKey,
Cookie: conf.Session.CSRFCookieName,
SetCookie: true,
Header: "X-Csrf-Token",
CookiePath: conf.Server.Subpath,
Secret: conf.Security.SecretKey,
Header: "X-Csrf-Token",
Cookie: conf.Session.CSRFCookieName,
CookieDomain: conf.Server.URL.Hostname(),
CookiePath: conf.Server.Subpath,
CookieHttpOnly: true,
SetCookie: true,
Secure: conf.Server.URL.Scheme == "https",
}))
m.Use(toolbox.Toolboxer(m, toolbox.Options{
HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{
@ -412,9 +415,7 @@ func runWeb(c *cli.Context) error {
Post(bindIgnErr(form.UpdateOrgSetting{}), org.SettingsPost)
m.Post("/avatar", binding.MultipartForm(form.Avatar{}), org.SettingsAvatar)
m.Post("/avatar/delete", org.SettingsDeleteAvatar)
m.Group("/hooks", webhookRoutes)
m.Route("/delete", "GET,POST", org.SettingsDelete)
})