diff options
| author | Thomas Vanbesien <tvanbesi@proton.me> | 2026-03-22 13:53:01 +0100 |
|---|---|---|
| committer | Thomas Vanbesien <tvanbesi@proton.me> | 2026-03-22 13:53:01 +0100 |
| commit | 78e891f06ab94ef478de1c431157f7d634fe4ac8 (patch) | |
| tree | 028aae8f1277470d704d38d78d8628311dc9c640 /src/app | |
| parent | de41aa4531df4515de93eba685cfeb03227a5d4e (diff) | |
| download | camagru-78e891f06ab94ef478de1c431157f7d634fe4ac8.tar.gz camagru-78e891f06ab94ef478de1c431157f7d634fe4ac8.zip | |
Add session cookie hardening and Nginx security headers
Set httponly, samesite=Lax, and auto-detected secure flag on session
cookies. Add X-Content-Type-Options, X-Frame-Options, and
Content-Security-Policy headers in Nginx. Document both in README.
Diffstat (limited to 'src/app')
| -rw-r--r-- | src/app/bootstrap.php | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/app/bootstrap.php b/src/app/bootstrap.php index 835615b..144939b 100644 --- a/src/app/bootstrap.php +++ b/src/app/bootstrap.php @@ -3,6 +3,17 @@ declare(strict_types=1); // Application bootstrap: loads .env, registers the autoloader, and configures error reporting. +// Harden session cookie: httponly prevents JS access (mitigates XSS stealing +// the session ID), samesite=Lax blocks cross-origin form submissions while +// still allowing normal link navigation, secure ensures the cookie is only +// sent over HTTPS (automatically detected from the request) +$isHttps = ($_SERVER['HTTPS'] ?? '') === 'on' + || ($_SERVER['HTTP_X_FORWARDED_PROTO'] ?? '') === 'https'; +session_set_cookie_params([ + 'httponly' => true, + 'samesite' => 'Lax', + 'secure' => $isHttps, +]); session_start(); // Load .env |