From f7864cb7d49a8ca5bddf8d1f68b71ecd5ed85adc Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi92@disroot.org>
Date: Tue, 23 Sep 2025 16:28:44 +0200
Subject: http.c: Always set SameSite=Strict to cookies

This cookie attribute allows to mitigate CSRF attacks, while not
requiring the server to store additional data. [1]

[1]: https://owasp.org/www-community/SameSite
---
 http.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/http.c b/http.c
index fbdba54..54ed5e3 100644
--- a/http.c
+++ b/http.c
@@ -2533,15 +2533,16 @@ char *http_cookie_create(const char *const key, const char *const value)
     struct dynstr d;
 
     dynstr_init(&d);
-    dynstr_append_or_ret_null(&d, "%s=%s; HttpOnly", key, value);
 
-    if (append_expire(&d))
-    {
-        dynstr_free(&d);
-        return NULL;
-    }
+    if (dynstr_append(&d, "%s=%s; HttpOnly; SameSite=Strict", key, value)
+        || append_expire(&d))
+        goto failure;
 
     return d.str;
+
+failure:
+    dynstr_free(&d);
+    return NULL;
 }
 
 int http_update(struct http_ctx *const h, bool *const write, bool *const close)
-- 
cgit v1.2.3