diff options
Diffstat (limited to 'config/initializers')
-rw-r--r-- | config/initializers/devise.rb | 6 | ||||
-rw-r--r-- | config/initializers/makara.rb | 1 | ||||
-rw-r--r-- | config/initializers/secureheaders.rb | 10 | ||||
-rw-r--r-- | config/initializers/session_store.rb | 1 |
4 files changed, 8 insertions, 10 deletions
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index d3757b0d3..ef612e177 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -9,6 +9,7 @@ Warden::Manager.after_set_user except: :fetch do |user, warden| value: session_id, expires: 1.year.from_now, httponly: true, + secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } end @@ -19,6 +20,7 @@ Warden::Manager.after_fetch do |user, warden| value: warden.cookies.signed['_session_id'] || warden.raw_session['auth_id'], expires: 1.year.from_now, httponly: true, + secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } else @@ -227,6 +229,10 @@ Devise.setup do |config| # If true, extends the user's remember period when remembered via cookie. # config.extend_remember_period = false + # Options to be passed to the created cookie. For instance, you can set + # secure: true in order to force SSL only cookies. + config.rememberable_options = { secure: true } + # ==> Configuration for :validatable # Range for password length. config.password_length = 8..72 diff --git a/config/initializers/makara.rb b/config/initializers/makara.rb index afd29eda8..dc88fa63c 100644 --- a/config/initializers/makara.rb +++ b/config/initializers/makara.rb @@ -1 +1,2 @@ Makara::Cookie::DEFAULT_OPTIONS[:same_site] = :lax +Makara::Cookie::DEFAULT_OPTIONS[:secure] = Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true' diff --git a/config/initializers/secureheaders.rb b/config/initializers/secureheaders.rb deleted file mode 100644 index 6c8ac7fbe..000000000 --- a/config/initializers/secureheaders.rb +++ /dev/null @@ -1,10 +0,0 @@ -SecureHeaders::Configuration.default do |config| - config.cookies = { - secure: true, - httponly: true, - samesite: { - lax: true - } - } - config.csp = SecureHeaders::OPT_OUT -end diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index 7e3471ac4..e5d1be4c6 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -2,5 +2,6 @@ Rails.application.config.session_store :cookie_store, { key: '_mastodon_session', + secure: (Rails.env.production? || ENV['LOCAL_HTTPS'] == 'true'), same_site: :lax, } |