Harden API and session security: enforce CSRF on cookie-auth /api/v1 writes, exempt bot bearer tokens, and set SameSite=Lax + conditional Secure on auth/CSRF/ip-session cookies

src/web/csrf.js

@@ -13,10 +13,13 @@ exports.init = function csrfInit (domain) {
         var secret = req.signedCookies._csrf;
         if (!secret) {
             secret = tokens.secretSync();
+            const secure = req.realProtocol === 'https' || req.secure === true;
             res.cookie("_csrf", secret,  {
                 domain: domain,
                 signed: true,
-                httpOnly: true
+                httpOnly: true,
+                sameSite: 'lax',
+                secure
             });
         }
 

src/web/middleware/ipsessioncookie.js

@@ -38,10 +38,13 @@ export function ipSessionCookieMiddleware(req, res, next) {
     }
 
     if (!hasSession) {
+        const secure = req.realProtocol === 'https' || req.secure === true;
         res.cookie('ip-session', createIPSessionCookie(req.realIP, firstSeen), {
             signed: true,
             httpOnly: true,
-            expires: NO_EXPIRATION
+            expires: NO_EXPIRATION,
+            sameSite: 'lax',
+            secure
         });
     }
 

src/web/webserver.js

@@ -241,21 +241,23 @@ module.exports = {
     },
 
     setAuthCookie: function setAuthCookie(req, res, expiration, auth) {
+        const secure = req.realProtocol === 'https' || req.secure === true;
+        const baseCookieOptions = {
+            expires: expiration,
+            httpOnly: true,
+            signed: true,
+            sameSite: 'lax',
+            secure
+        };
+
         if (req.hostname.indexOf(Config.get("http.root-domain")) >= 0) {
             // Prevent non-root cookie from screwing things up
             res.clearCookie("auth");
-            res.cookie("auth", auth, {
+            res.cookie("auth", auth, Object.assign({}, baseCookieOptions, {
                 domain: Config.get("http.root-domain-dotted"),
-                expires: expiration,
-                httpOnly: true,
-                signed: true
-            });
+            }));
         } else {
-            res.cookie("auth", auth, {
-                expires: expiration,
-                httpOnly: true,
-                signed: true
-            });
+            res.cookie("auth", auth, baseCookieOptions);
         }
     }
 };