zydronium/neocities
1
0
Fork 0
mirror of https://github.com/neocities/neocities.git synced 2025-07-19 17:16:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

sessions: new secret, set issued time of session cookie for revoking

Browse source
This commit is contained in:
Kyle Drake 2025-01-31 20:03:41 -06:00
parent f7c367b939
commit 98acf7ce89
4 changed files with 11 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

11
app.rb
View file

@ -4,7 +4,7 @@ require './app_helpers.rb'
use Rack::Session::Cookie, key: 'neocities',
path: '/',
expire_after: 31556926, # one year in seconds
secret: $config['session_secret'],
secret: Base64.strict_decode64($config['session_secret']),
httponly: true,
same_site: :lax,
secure: ENV['RACK_ENV'] == 'production'
@ -105,11 +105,14 @@ end
after do
if @api
request.session_options[:skip] = true
else
# Set issue timestamp on session cookie if it doesn't exist yet
session['i'] = Time.now.to_i if session && !session['i'] && session['id']
end
end
after do
response.headers['Content-Security-Policy'] = %{default-src 'self' data: blob: 'unsafe-inline'; script-src 'self' blob: 'unsafe-inline' 'unsafe-eval' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; connect-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://api.stripe.com; frame-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com} unless self.class.development?
unless self.class.development?
response.headers['Content-Security-Policy'] = %{default-src 'self' data: blob: 'unsafe-inline'; script-src 'self' blob: 'unsafe-inline' 'unsafe-eval' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com; style-src 'self' 'unsafe-inline' https://hcaptcha.com https://*.hcaptcha.com; connect-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://api.stripe.com; frame-src 'self' https://hcaptcha.com https://*.hcaptcha.com https://js.stripe.com}
end
end
not_found do