Use SameSite=strict for orangelight cookie

This reduces the number of scenarios in which the cookie will be sent, providing better CSRF protection and reducing the size of the Cookies header in some cases.
pulibrary · Jan 10, 2024 · 4e72bea · 4e72bea
1 parent b055c70
commit 4e72bea
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/config/initializers/cookies_serializer.rb b/config/initializers/cookies_serializer.rb
@@ -3,3 +3,4 @@
 # Be sure to restart your server when you modify this file.
 
 Rails.application.config.action_dispatch.cookies_serializer = :json
+Rails.application.config.action_dispatch.cookies_same_site_protection = :strict
diff --git a/spec/requests/cookies_spec.rb b/spec/requests/cookies_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+require 'rails_helper'
+RSpec.describe 'Cookies' do
+  it 'sets SameSite=strict' do
+    get '/'
+    expect(response.headers['Set-Cookie']).to include('SameSite=Strict')
+  end
+  it 'sets HttpOnly' do
+    get '/'
+    expect(response.headers['Set-Cookie']).to include('HttpOnly')
+  end
+  it 'sets Secure' do
+    get '/'
+    expect(response.headers['Set-Cookie']).to include('HttpOnly')
+  end
+end