http.c: Always set SameSite=Strict to cookies

This cookie attribute allows to mitigate CSRF attacks, while not requiring the server to store additional data. [1] [1]: https://owasp.org/www-community/SameSite
author: Xavier Del Campo Romero <xavi92@disroot.org> 2025-09-23 16:28:44 +0200
committer: Xavier Del Campo Romero <xavi92@disroot.org> 2025-09-23 16:28:44 +0200
commit: f7864cb7d49a8ca5bddf8d1f68b71ecd5ed85adc (patch)
tree: 756a5e6b503e49e53675e166985e7b6b72c44f9f
parent: 5d47b2d12caba33793a078d2eafae6ae3d2ad921 (diff)
1 files changed, 7 insertions, 6 deletions
diff --git a/http.c b/http.c
index fbdba54..54ed5e3 100644
--- a/http.c
+++ b/http.c
@@ -2533,15 +2533,16 @@ char *http_cookie_create(const char *const key, const char *const value)
     struct dynstr d;
 
     dynstr_init(&d);
-    dynstr_append_or_ret_null(&d, "%s=%s; HttpOnly", key, value);
 
-    if (append_expire(&d))
-    {
-        dynstr_free(&d);
-        return NULL;
-    }
+    if (dynstr_append(&d, "%s=%s; HttpOnly; SameSite=Strict", key, value)
+        || append_expire(&d))
+        goto failure;
 
     return d.str;
+
+failure:
+    dynstr_free(&d);
+    return NULL;
 }
 
 int http_update(struct http_ctx *const h, bool *const write, bool *const close)
author	Xavier Del Campo Romero <xavi92@disroot.org>	2025-09-23 16:28:44 +0200
committer	Xavier Del Campo Romero <xavi92@disroot.org>	2025-09-23 16:28:44 +0200
commit	f7864cb7d49a8ca5bddf8d1f68b71ecd5ed85adc (patch)
tree	756a5e6b503e49e53675e166985e7b6b72c44f9f
parent	5d47b2d12caba33793a078d2eafae6ae3d2ad921 (diff)