From 78e891f06ab94ef478de1c431157f7d634fe4ac8 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Sun, 22 Mar 2026 13:53:01 +0100
Subject: Add session cookie hardening and Nginx security headers

Set httponly, samesite=Lax, and auto-detected secure flag on session
cookies. Add X-Content-Type-Options, X-Frame-Options, and
Content-Security-Policy headers in Nginx. Document both in README.
---
 src/app/bootstrap.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'src/app/bootstrap.php')

diff --git a/src/app/bootstrap.php b/src/app/bootstrap.php
index 835615b..144939b 100644
--- a/src/app/bootstrap.php
+++ b/src/app/bootstrap.php
@@ -3,6 +3,17 @@
 declare(strict_types=1);
 // Application bootstrap: loads .env, registers the autoloader, and configures error reporting.
 
+// Harden session cookie: httponly prevents JS access (mitigates XSS stealing
+// the session ID), samesite=Lax blocks cross-origin form submissions while
+// still allowing normal link navigation, secure ensures the cookie is only
+// sent over HTTPS (automatically detected from the request)
+$isHttps = ($_SERVER['HTTPS'] ?? '') === 'on'
+    || ($_SERVER['HTTP_X_FORWARDED_PROTO'] ?? '') === 'https';
+session_set_cookie_params([
+    'httponly' => true,
+    'samesite' => 'Lax',
+    'secure' => $isHttps,
+]);
 session_start();
 
 // Load .env
-- 
cgit v1.2.3