feat(settings): possibilité de paramètrer la politique d'envoi des cookies (session et CSRF token)

benevalibre/settings/base.py

@@ -263,6 +263,22 @@ SESSION_COOKIE_PATH = APP_LOCATION
 # https://docs.djangoproject.com/en/stable/ref/settings/#csrf-cookie-path
 CSRF_COOKIE_PATH = APP_LOCATION
 
+cookie_secure = (
+    True if env('COOKIE_SAMESITE', default='Lax') == 'None' else False
+)
+
+# https://docs.djangoproject.com/en/stable/ref/settings/#csrf-cookie-samesite
+CSRF_COOKIE_SAMESITE = env('COOKIE_SAMESITE', default='Lax')
+
+# https://docs.djangoproject.com/en/stable/ref/settings/#csrf-cookie-secure
+CSRF_COOKIE_SECURE = cookie_secure
+
+# https://docs.djangoproject.com/en/stable/ref/settings/#session-cookie-samesite
+SESSION_COOKIE_SAMESITE = env('COOKIE_SAMESITE', default='Lax')
+
+# https://docs.djangoproject.com/en/stable/ref/settings/#session-cookie-secure
+SESSION_COOKIE_SECURE = cookie_secure
+
 # ------------------------------------------------------------------------------
 # APPLICATION AND 3RD PARTY LIBRARY SETTINGS
 # ------------------------------------------------------------------------------

config.env.example

@@ -97,3 +97,6 @@
 
 # Upstream source for new release checking
 #UPSTREAM_RELEASES=https://forge.cliss21.org/api/v1/repos/cliss21/benevalibre/tags
+
+# SameSite Policy for sending cookies (CSRF Token and Session). Should 'Lax' or 'Strict' for security reasons
+#COOKIE_SAMESITE=Lax