From b3d5cde75efe5f9c5e3769bbad65fe97cefd1907 Mon Sep 17 00:00:00 2001
From: Oliver Eyton-Williams <ojeytonwilliams@gmail.com>
Date: Tue, 16 Jun 2020 17:18:48 +0200
Subject: [PATCH] fix(api): csurf to SameSite 'strict', https only (#39077)

Lax and http are probably sufficient, but if the stricter versions work
there's no harm using them.
---
 api-server/server/middlewares/csurf.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/api-server/server/middlewares/csurf.js b/api-server/server/middlewares/csurf.js
index 7229e4194f..e21c2e638c 100644
--- a/api-server/server/middlewares/csurf.js
+++ b/api-server/server/middlewares/csurf.js
@@ -3,7 +3,9 @@ import csurf from 'csurf';
 export default function() {
   const protection = csurf({
     cookie: {
-      domain: process.env.COOKIE_DOMAIN || 'localhost'
+      domain: process.env.COOKIE_DOMAIN || 'localhost',
+      sameSite: 'strict',
+      secure: true
     }
   });
   return function csrf(req, res, next) {