config: validate cookie_secure option (#4484)

Do not allow the combination of 'cookie_same_site: none' and 'cookie_secure: false'. Cookies with SameSite=None must also set the Secure option, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#none.
2025-07-12 14:28:33 +02:00 · 2023-08-23 10:43:01 -07:00 · 2023-08-23 10:43:01 -07:00 · 5a4acc5cd3
commit 5a4acc5cd3
parent c95f1695ec
2 changed files with 6 additions and 0 deletions
--- a/config/options.go
+++ b/config/options.go
@ -767,6 +767,8 @@ func (o *Options) Validate() error {

 	if err := ValidateCookieSameSite(o.CookieSameSite); err != nil {
 		return fmt.Errorf("config: invalid cookie_same_site: %w", err)
+	} else if !o.CookieSecure && o.GetCookieSameSite() == http.SameSiteNoneMode {
+		return errors.New("config: cannot use cookie_same_site: none with cookie_secure: false")
 	}

 	if err := ValidateLogLevel(o.LogLevel); err != nil {