about summary refs log tree commit diff
path: root/config/initializers
diff options
context:
space:
mode:
authorClaire <claire.github-309c@sitedethib.com>2021-02-11 23:47:05 +0100
committerGitHub <noreply@github.com>2021-02-11 23:47:05 +0100
commit21fb3f3684782628319a0d6339dd9fd446c2b673 (patch)
tree029bcaeb2658ca28524661f451abe88c28a289e0 /config/initializers
parenteb23f985928f5d394209475ad4308a4d20dfb5f2 (diff)
Drop dependency on secure_headers, fix response headers (#15712)
* Drop dependency on secure_headers, use always_write_cookie instead

* Fix cookies in Tor Hidden Services by moving configuration to application.rb

* Instead of setting always_write_cookie at boot, monkey-patch ActionDispatch
Diffstat (limited to 'config/initializers')
-rw-r--r--config/initializers/devise.rb6
-rw-r--r--config/initializers/makara.rb1
-rw-r--r--config/initializers/secureheaders.rb10
-rw-r--r--config/initializers/session_store.rb1
4 files changed, 8 insertions, 10 deletions
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index d3757b0d3..ef612e177 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -9,6 +9,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden|
     value: session_id,
     expires: 1.year.from_now,
     httponly: true,
+    secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
     same_site: :lax,
   }
 end
@@ -19,6 +20,7 @@ Warden::Manager.after_fetch do |user, warden|
       value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'],
       expires: 1.year.from_now,
       httponly: true,
+      secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
       same_site: :lax,
     }
   else
@@ -227,6 +229,10 @@ Devise.setup do |config|
   # If true, extends the user's remember period when remembered via cookie.
   # config.extend_remember_period = false
 
+  # Options to be passed to the created cookie. For instance, you can set
+  # secure: true in order to force SSL only cookies.
+  config.rememberable_options = { secure: true }
+
   # ==> Configuration for :validatable
   # Range for password length.
   config.password_length = 8..72
diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb
index afd29eda8..dc88fa63c 100644
--- a/config/initializers/makara.rb
+++ b/config/initializers/makara.rb
@@ -1 +1,2 @@
 Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax
+Makara::Cookie::DEFAULT_OPTIONS[:secure]    = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'
diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb
deleted file mode 100644
index 6c8ac7fbe..000000000
--- a/config/initializers/secureheaders.rb
+++ /dev/null
@@ -1,10 +0,0 @@
-SecureHeaders::Configuration.default do |config|
-  config.cookies = {
-    secure: true,
-    httponly: true,
-    samesite: {
-      lax: true
-    }
-  }
-  config.csp = SecureHeaders::OPT_OUT
-end
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 7e3471ac4..e5d1be4c6 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -2,5 +2,6 @@
 
 Rails.application.config.session_store :cookie_store, {
   key: '_mastodon_session',
+  secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'),
   same_site: :lax,
 }
generated by cgit-pink (git 2.37.1) at 2025-02-16 19:56:51 +0000