Set secure and httponly flags on admin session cookie.

These help prevent session sidejacking or mitigate the impact of potential XSS issues.
NREL · Apr 11, 2015 · 5d095bc · 5d095bc
1 parent f57ac5c
commit 5d095bc
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
@@ -1,6 +1,14 @@
 # Be sure to restart your server when you modify this file.
 
-ApiUmbrella::Application.config.session_store :cookie_store, :key => '_api_umbrella_session'
+ApiUmbrella::Application.config.session_store(:cookie_store, {
+  :key => "_api_umbrella_session",
+
+  # Don't allow cookies to be accessed by javascript.
+  :httponly => true,
+
+  # Use secure cookies to prevent sidejacking.
+  :secure => !["development", "test"].include?(Rails.env),
+})
 
 # Use the database for sessions instead of the cookie-based default,
 # which shouldn't be used to store highly confidential information