feat: Add strict transport security and secure cookie options (#741)

f0ssel · web-flow · commit 0d53795c0d95 · 2022-03-31T12:31:06.000-05:00
diff --git a/cli/start.go b/cli/start.go
@@ -56,6 +56,7 @@ func start() *cobra.Command {
 		tlsMinVersion          string
 		useTunnel              bool
 		traceDatadog           bool
+		secureAuthCookie       bool
 	)
 	root := &cobra.Command{
 		Use: "start",
@@ -132,6 +133,7 @@ func start() *cobra.Command {
 				Database:             databasefake.New(),
 				Pubsub:               database.NewPubsubInMemory(),
 				GoogleTokenValidator: validator,
+				SecureAuthCookie:     secureAuthCookie,
 			}
 
 			if !dev {
@@ -334,6 +336,7 @@ func start() *cobra.Command {
 	cliflag.BoolVarP(root.Flags(), &useTunnel, "tunnel", "", "CODER_DEV_TUNNEL", true, "Serve dev mode through a Cloudflare Tunnel for easy setup")
 	_ = root.Flags().MarkHidden("tunnel")
 	cliflag.BoolVarP(root.Flags(), &traceDatadog, "trace-datadog", "", "CODER_TRACE_DATADOG", false, "Send tracing data to a datadog agent")
+	cliflag.BoolVarP(root.Flags(), &secureAuthCookie, "secure-auth-cookie", "", "CODER_SECURE_AUTH_COOKIE", false, "Specifies if the 'Secure' property is set on browser session cookies")
 
 	return root
 }
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -29,6 +29,8 @@ type Options struct {
 
 	AWSCertificates      awsidentity.Certificates
 	GoogleTokenValidator *idtoken.Validator
+
+	SecureAuthCookie bool
 }
 
 // New constructs the Coder API into an HTTP handler.
diff --git a/coderd/users.go b/coderd/users.go
@@ -417,6 +417,7 @@ func (api *api) postLogin(rw http.ResponseWriter, r *http.Request) {
 		Path:     "/",
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
+		Secure:   api.SecureAuthCookie,
 	})
 
 	render.Status(r, http.StatusCreated)

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@ type Options struct {`
`29`	`29`
`30`	`30`	`AWSCertificates awsidentity.Certificates`
`31`	`31`	`GoogleTokenValidator *idtoken.Validator`
	`32`	`+`
	`33`	`+ SecureAuthCookie bool`
`32`	`34`	`}`
`33`	`35`
`34`	`36`	`// New constructs the Coder API into an HTTP handler.`