diff options
Diffstat (limited to 'src/app/bootstrap.php')
| -rw-r--r-- | src/app/bootstrap.php | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/app/bootstrap.php b/src/app/bootstrap.php index 835615b..144939b 100644 --- a/src/app/bootstrap.php +++ b/src/app/bootstrap.php @@ -3,6 +3,17 @@ declare(strict_types=1); // Application bootstrap: loads .env, registers the autoloader, and configures error reporting. +// Harden session cookie: httponly prevents JS access (mitigates XSS stealing +// the session ID), samesite=Lax blocks cross-origin form submissions while +// still allowing normal link navigation, secure ensures the cookie is only +// sent over HTTPS (automatically detected from the request) +$isHttps = ($_SERVER['HTTPS'] ?? '') === 'on' + || ($_SERVER['HTTP_X_FORWARDED_PROTO'] ?? '') === 'https'; +session_set_cookie_params([ + 'httponly' => true, + 'samesite' => 'Lax', + 'secure' => $isHttps, +]); session_start(); // Load .env |