fix: resolve 7 audit issues - webhook tokens, cookie security, avatar save, TUI fallback, dead code, valkey default

This commit is contained in:
2026-06-30 13:29:34 -04:00
parent 6f43e4f3a0
commit 2caedc172b
9 changed files with 41 additions and 103 deletions
+2 -2
View File
@@ -9,7 +9,7 @@ import (
// SetSessionCookie writes the session cookie with secure defaults.
// Shared by password login, registration, and WebAuthn login.
func SetSessionCookie(w http.ResponseWriter, cookieName, token string, duration time.Duration) {
secure := os.Getenv("COOKIE_SECURE") == "true"
secure := os.Getenv("COOKIE_SECURE") != "false"
http.SetCookie(w, &http.Cookie{
Name: cookieName,
@@ -17,7 +17,7 @@ func SetSessionCookie(w http.ResponseWriter, cookieName, token string, duration
Path: "/",
HttpOnly: true,
Secure: secure,
SameSite: http.SameSiteDefaultMode,
SameSite: http.SameSiteStrictMode,
MaxAge: int(duration.Seconds()),
})
}