SameSite=strict
cookies is another layer to help prevent CSRF attacts in newer browsers
(at least 5, no clue about earlier versions)
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,3 +1,3 @@
# Be sure to restart your server when you modify this file.
-Rails.application.config.session_store :cookie_store, key: '_session'
+Rails.application.config.session_store :cookie_store, key: '_session', same_site: :strict
Unfortunately at this time, the easiest way would be to use Rack2, but pliny has a dependency on sinatra ~> 1.4
which has a dep on rack ~> 1.5
, so we'll need to wait for sinatra 2 to come out of beta and then for pliny to update it's dependency.
Some links: https://tools.ietf.org/html/draft-west-first-party-cookies-06#section-4.1.1 https://chloe.re/2016/04/13/goodbye-csrf-samesite-to-the-rescue/ https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/