Set cookie policy to SameSite=lax and httpOnly (#2498)

argoproj · Oct 17, 2019 · 8d5939f · 8d5939f
1 parent e8c21ab
commit 8d5939f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/server/server.go b/server/server.go
@@ -486,7 +486,7 @@ func (a *ArgoCDServer) newGRPCServer() *grpc.Server {
 // TranslateGrpcCookieHeader conditionally sets a cookie on the response.
 func (a *ArgoCDServer) translateGrpcCookieHeader(ctx context.Context, w http.ResponseWriter, resp golang_proto.Message) error {
 	if sessionResp, ok := resp.(*sessionpkg.SessionResponse); ok {
-		flags := []string{"path=/"}
+		flags := []string{"path=/", "SameSite=lax", "httpOnly"}
 		if !a.Insecure {
 			flags = append(flags, "Secure")
 		}