From de28e06d8fd165b2b55be6e5a8458259833148e7 Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Sat, 20 Nov 2021 16:34:37 -0700 Subject: [PATCH] Improve cookie security when `HTTPS_ONLY` is set Adds the "Secure" flag and "__Secure-" prefix if the `HTTPS_ONLY` environment variable is enabled. Fixes #539 --- app/__init__.py | 7 ++++++- app/routes.py | 3 ++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app/__init__.py b/app/__init__.py index c3fe504..077b97f 100644 --- a/app/__init__.py +++ b/app/__init__.py @@ -15,7 +15,7 @@ app = Flask(__name__, static_folder=os.path.dirname( os.path.abspath(__file__)) + '/static') # Load .env file if enabled -if os.getenv("WHOOGLE_DOTENV", ''): +if os.getenv('WHOOGLE_DOTENV', ''): dotenv_path = '../whoogle.env' load_dotenv(os.path.join(os.path.dirname(os.path.abspath(__file__)), dotenv_path)) @@ -24,6 +24,11 @@ app.default_key = generate_user_key() app.config['SECRET_KEY'] = os.urandom(32) app.config['SESSION_TYPE'] = 'filesystem' app.config['SESSION_COOKIE_SAMESITE'] = 'strict' + +if os.getenv('HTTPS_ONLY'): + app.config['SESSION_COOKIE_NAME'] = '__Secure-session' + app.config['SESSION_COOKIE_SECURE'] = True + app.config['VERSION_NUMBER'] = '0.6.0' app.config['APP_ROOT'] = os.getenv( 'APP_ROOT', diff --git a/app/routes.py b/app/routes.py index 2e066fc..b630be5 100644 --- a/app/routes.py +++ b/app/routes.py @@ -518,7 +518,8 @@ def run_app() -> None: os.environ['WHOOGLE_PROXY_TYPE'] = args.proxytype os.environ['WHOOGLE_PROXY_LOC'] = args.proxyloc - os.environ['HTTPS_ONLY'] = '1' if args.https_only else '' + if args.https_only: + os.environ['HTTPS_ONLY'] = '1' if args.debug: app.run(host=args.host, port=args.port, debug=args.debug)