aboutsummaryrefslogtreecommitdiffstats
path: root/web
diff options
context:
space:
mode:
Diffstat (limited to 'web')
-rw-r--r--web/web.go6
-rw-r--r--web/web_test.go3
2 files changed, 5 insertions, 4 deletions
diff --git a/web/web.go b/web/web.go
index d8dd832..892def3 100644
--- a/web/web.go
+++ b/web/web.go
@@ -265,7 +265,7 @@ func NewRouter(cfg *config.Settings) http.Handler {
// Removed default root handler for legacy UI
- return SecurityHeadersMiddleware(CSRFMiddleware(mux))
+ return SecurityHeadersMiddleware(CSRFMiddleware(cfg, mux))
}
func Serve(cfg *config.Settings) {
@@ -362,7 +362,7 @@ func generateRandomToken(n int) string {
return hex.EncodeToString(b)
}
-func CSRFMiddleware(next http.Handler) http.Handler {
+func CSRFMiddleware(cfg *config.Settings, next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
cookie, err := r.Cookie("csrf_token")
var token string
@@ -374,7 +374,7 @@ func CSRFMiddleware(next http.Handler) http.Handler {
Path: "/",
HttpOnly: false, // accessible by JS
SameSite: http.SameSiteNoneMode,
- Secure: false, // Set to true in production with HTTPS
+ Secure: cfg.SecureCookies,
})
} else {
token = cookie.Value
diff --git a/web/web_test.go b/web/web_test.go
index c6cf306..0cd2764 100644
--- a/web/web_test.go
+++ b/web/web_test.go
@@ -737,7 +737,8 @@ func TestGzipMiddlewareNonCompressible(t *testing.T) {
}
func TestCSRFMiddleware(t *testing.T) {
- handler := CSRFMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ cfg := &config.Settings{SecureCookies: false}
+ handler := CSRFMiddleware(cfg, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
}))
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-25 21:02:10 +0000