From 80d0a1f5207378f80e7c851fba13396b6f78f785 Mon Sep 17 00:00:00 2001
From: Joris
Date: Fri, 28 Feb 2020 11:29:31 +0100
Subject: Update login cookie to be http only

The login cookie should not be used from the client in JavaScript.
---
 server/src/Cookie.hs | 1 +
 1 file changed, 1 insertion(+)

(limited to 'server/src')

diff --git a/server/src/Cookie.hs b/server/src/Cookie.hs
index f79a1fa..00d73f2 100644
--- a/server/src/Cookie.hs
+++ b/server/src/Cookie.hs
@@ -34,6 +34,7 @@ makeSimpleCookie conf name value =
     , setCookieValue = TS.encodeUtf8 value
     , setCookiePath = Just $ TS.encodeUtf8 "/"
     , setCookieSecure = Conf.https conf
+    , setCookieHttpOnly = True
     }
 
 setCookie :: (Monad m) => SetCookie -> ActionT e m ()
-- 
cgit v1.2.3