fix(striker-ui-api): set session cookie options

* Set 'secure' because we don't have a certificate yet * Set 'httpOnly' to avoid exposing the cookie in 'document'
2 years ago · dc765b3719
parent 2eb5b8a094
commit dc765b3719
1 changed files with 5 additions and 1 deletions
--- a/striker-ui-api/src/session.ts
+++ b/striker-ui-api/src/session.ts
@ -182,7 +182,11 @@ export class SessionStore extends BaseSessionStore {

 export default (async () =>
  expressSession({
-    cookie: { maxAge: DEFAULT_COOKIE_ORIGINAL_MAX_AGE },
+    cookie: {
+      httpOnly: true,
+      maxAge: DEFAULT_COOKIE_ORIGINAL_MAX_AGE,
+      secure: false,
+    },
    genid: ({ path }) => {
      const sid = uuid();