Adds secure, httponly, and SameSite=lax to cookies by default

[anglinb]

Adds secure and httponly flags to cookies by default, targeting a 4.0 release tracked by #286.

/CC @stve @oreoshake

Outstanding Questions:

Should 4.0 also include SameSite=Lax?

- Default cookies to secure, httponly, samsite=lax

Suggested CHANGELOG entry

(I'm not sure if I should add this to the actual CHANGELOG file b/c I don't know which release this will get pulled into)

Adds secure and httponly flags to all cookies by default.

All Prs

• Has tests
• Documentation updated

[oreoshake]

@stve you're the most familiar with this code. Can you take a look 👀?

[stve]

@anglinb nice work!

I think this all looks good with one point we may need to discuss further.

Main question is how we want to handle a configuration that doesn't specify secure or httponly. If a custom configuration is used, do defaults still get applied or should a custom config supercede any defaults?

@oreoshake how is this handled elsewhere within the configuration?

[stve]

👍 for adding support for SecureHeaders::OPT_OUT this was a HUGE miss on my part in the initial implementation.

[stve]

I wonder if it would make sense to define the default as { secure: true, httponly: true} as opposed to checking for nil in the configuration.

I'm of the opinion that if a configuration is defined (even if it disables secure or httponly), you shouldn't have to opt-out of each configuration explicitly.

[oreoshake]

Per #341 (comment), I think we should go with

config[:secure] = true unless config[:secure] == OPT_OUT
config[:httponly] = true unless config[:httponly] == OPT_OUT

[oreoshake]

Main question is how we want to handle a configuration that doesn't specify secure or httponly.

You should have to explicitly say secure: OPT_OUT and http_only: OPT_OUT in my mind.

[stve]

You should have to explicitly say secure: OPT_OUT and http_only: OPT_OUT in my mind.

@anglinb can you add tests for when secure and httponly are set with OPT_OUT? After that I think we're good to merge.

[oreoshake]

@anglinb sorry for not identifying the OPT_OUT stuff during 🍐. Do you have time to update this? I can take over if you're busy but I'm hoping to get 4.x out this week or next.

[anglinb]

@oreoshake @stve Thanks for taking a look! I'll address your feedback this afternoon--totally missed these notifications 🙃

[oreoshake]

While you're at it... let's default samesite to lax

/me ducks

Break all the things. I'll add a post-install message to broadcast this change (along with the others).

[anglinb]

@oreoshake Sounds good. Will take care of the two changes:

• Force users to explicitly opt out by supplying {http_only: OPT_OUT}
• Add SameSite=Lax by default

I'm still going to allow the global, OPT_OUT. So if config = OPT_OUT is equivalent to config = {http_only: OPT_OUT, secure: OPT_OUT, same_site: OPT_OUT}. Does that make sense? @stve @oreoshake

[oreoshake]

I'm still going to allow the global, OPT_OUT. So if config = OPT_OUT is equivalent to config = {http_only: OPT_OUT, secure: OPT_OUT, same_site: OPT_OUT}. Does that make sense?

👍

[anglinb]

^ Just added SameSite=Lax. Please take a look when you have a sec. I think addressed all of the comments. 😄

@stve @oreoshake

[oreoshake]

Looks good at first glance ☎️ but I'll take a closer look on Monday 💻