diff options
| author | Fuwn <[email protected]> | 2026-06-01 13:01:06 +0000 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-06-01 13:01:06 +0000 |
| commit | 52bcd7cca8da48a62ba52d51ee5a1cf5f0a5f6a5 (patch) | |
| tree | 42c653a09d5fa0de9802f2e5ef9bd62f4a3d98ae /src/routes/api/authentication | |
| parent | fix(security): escape badge source/designer to close stored XSS (diff) | |
| download | due.moe-52bcd7cca8da48a62ba52d51ee5a1cf5f0a5f6a5.tar.xz due.moe-52bcd7cca8da48a62ba52d51ee5a1cf5f0a5f6a5.zip | |
fix(security): mark auth cookies Secure outside localhost
The user and logout cookies were set with secure:false, so the AniList
tokens the user cookie carries could traverse plaintext HTTP. Drop the
override and let SvelteKit's default apply (Secure everywhere except
http://localhost), giving Secure in production and on https://due.localhost
while keeping plain-http local dev working. httpOnly is unchanged (the
client reads the token from layout data; tightening that is tracked
separately as the architectural part of C2).
Diffstat (limited to 'src/routes/api/authentication')
| -rw-r--r-- | src/routes/api/authentication/log-out/+server.ts | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/src/routes/api/authentication/log-out/+server.ts b/src/routes/api/authentication/log-out/+server.ts index 8623dfd1..fd5d37bf 100644 --- a/src/routes/api/authentication/log-out/+server.ts +++ b/src/routes/api/authentication/log-out/+server.ts @@ -8,7 +8,6 @@ export const GET = ({ cookies }) => { maxAge: 60 * 60 * 24 * 7, httpOnly: false, sameSite: "lax", - secure: false, }); redirect(303, root("/")); |