Improve cookie security when `HTTPS_ONLY` is set

Adds the "Secure" flag and "__Secure-" prefix if the `HTTPS_ONLY` environment variable is enabled. Fixes #539
2021-11-20 16:34:37 -07:00 · 2021-11-20 16:34:37 -07:00 · de28e06d8f
parent a768c1b5aa
commit de28e06d8f
2 changed files with 8 additions and 2 deletions
--- a/app/init.py
+++ b/app/init.py
@ -15,7 +15,7 @@ app = Flask(__name__, static_folder=os.path.dirname(
    os.path.abspath(__file__)) + '/static')
 # Load .env file if enabled
-if os.getenv("WHOOGLE_DOTENV", ''):
+if os.getenv('WHOOGLE_DOTENV', ''):
    dotenv_path = '../whoogle.env'
    load_dotenv(os.path.join(os.path.dirname(os.path.abspath(__file__)),
                             dotenv_path))
@ -24,6 +24,11 @@ app.default_key = generate_user_key()
 app.config['SECRET_KEY'] = os.urandom(32)
 app.config['SESSION_TYPE'] = 'filesystem'
 app.config['SESSION_COOKIE_SAMESITE'] = 'strict'
 if os.getenv('HTTPS_ONLY'):
    app.config['SESSION_COOKIE_NAME'] = '__Secure-session'
    app.config['SESSION_COOKIE_SECURE'] = True
 app.config['VERSION_NUMBER'] = '0.6.0'
 app.config['APP_ROOT'] = os.getenv(
    'APP_ROOT',
--- a/app/routes.py
+++ b/app/routes.py
@ -518,7 +518,8 @@ def run_app() -> None:
        os.environ['WHOOGLE_PROXY_TYPE'] = args.proxytype
        os.environ['WHOOGLE_PROXY_LOC'] = args.proxyloc
-    os.environ['HTTPS_ONLY'] = '1' if args.https_only else ''
+    if args.https_only:
        os.environ['HTTPS_ONLY'] = '1'
    if args.debug:
        app.run(host=args.host, port=args.port, debug=args.debug)