Age | Commit message (Collapse) | Author | |
---|---|---|---|
2018-09-08 | feat(cookies): Use the same-site attribute to lax (#8626) | Sorin Davidoi | |
CSFR-prevention is already implemented but adding this doesn't hurt. A brief introduction to Same-Site cookies (and the difference between strict and lax) can be found at https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ TLDR: We use lax since we want the cookies to be sent when the user navigates safely from an external site. | |||
2018-01-05 | Fix enforce HTTPS in production. (#6180) | Naoki Kosaka | |
2016-11-02 | Make cookies https-only if LOCAL_HTTPS is true, set X-Frame-Options to DENY, | Eugen Rochko | |
add permissive CORS to API controllers | |||
2016-02-20 | Initial commit | Eugen Rochko | |