diff --git a/Oqtane.Server/Components/App.razor b/Oqtane.Server/Components/App.razor index 327b686fe..dfa24d54c 100644 --- a/Oqtane.Server/Components/App.razor +++ b/Oqtane.Server/Components/App.razor @@ -429,7 +429,10 @@ new CookieOptions() { Expires = DateTimeOffset.UtcNow.AddYears(10), - IsEssential = true + IsEssential = true, + SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute + Secure = true, // Ensure the cookie is only sent over HTTPS + HttpOnly = true // Optional: Helps mitigate XSS attacks } ); } @@ -601,9 +604,19 @@ private void SetLocalizationCookie(string culture) { + var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions + { + Expires = DateTimeOffset.UtcNow.AddYears(1), + SameSite = Microsoft.AspNetCore.Http.SameSiteMode.Lax, // Set SameSite attribute + Secure = true, // Ensure the cookie is only sent over HTTPS + HttpOnly = true // Optional: Helps mitigate XSS attacks + }; + Context.Response.Cookies.Append( CookieRequestCultureProvider.DefaultCookieName, - CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture))); + CookieRequestCultureProvider.MakeCookieValue(new RequestCulture(culture)), + cookieOptions + ); } private async Task> GetPageResources(Alias alias, Site site, Page page, List modules, int moduleid, string action) diff --git a/Oqtane.Server/Startup.cs b/Oqtane.Server/Startup.cs index d4bf01610..164d86618 100644 --- a/Oqtane.Server/Startup.cs +++ b/Oqtane.Server/Startup.cs @@ -100,6 +100,7 @@ public void ConfigureServices(IServiceCollection services) options.Cookie.Name = Constants.AntiForgeryTokenCookieName; options.Cookie.SameSite = SameSiteMode.Strict; options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; + options.Cookie.HttpOnly = true; }); services.AddIdentityCore(options => { })