From b47721a02d3fdfb1b6a565df29c85e7c51d8c490 Mon Sep 17 00:00:00 2001 From: Adam Mathes Date: Sat, 14 Feb 2026 11:02:38 -0800 Subject: feat: add secure_cookies configuration option\n\n- Added SecureCookies bool field to config.Settings\n- Added --secure-cookies command line flag\n- Updated CSRFMiddleware to use config setting instead of hardcoded value\n- Default is false for local development, set to true for production HTTPS\n- Updated config.example and README.md with documentation\n- Updated tests to pass config to CSRFMiddleware\n\nThis allows users to easily switch between insecure cookies (for local dev)\nand secure cookies (for production HTTPS) via config file or command line. --- web/web.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'web/web.go') diff --git a/web/web.go b/web/web.go index d8dd832..892def3 100644 --- a/web/web.go +++ b/web/web.go @@ -265,7 +265,7 @@ func NewRouter(cfg *config.Settings) http.Handler { // Removed default root handler for legacy UI - return SecurityHeadersMiddleware(CSRFMiddleware(mux)) + return SecurityHeadersMiddleware(CSRFMiddleware(cfg, mux)) } func Serve(cfg *config.Settings) { @@ -362,7 +362,7 @@ func generateRandomToken(n int) string { return hex.EncodeToString(b) } -func CSRFMiddleware(next http.Handler) http.Handler { +func CSRFMiddleware(cfg *config.Settings, next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { cookie, err := r.Cookie("csrf_token") var token string @@ -374,7 +374,7 @@ func CSRFMiddleware(next http.Handler) http.Handler { Path: "/", HttpOnly: false, // accessible by JS SameSite: http.SameSiteNoneMode, - Secure: false, // Set to true in production with HTTPS + Secure: cfg.SecureCookies, }) } else { token = cookie.Value -- cgit v1.2.3