feat(settings): possibilité de paramètrer la politique d'envoi des cookies (session et CSRF token)

1 month ago · cb778e02a9
2 changed files with 19 additions and 0 deletions
--- a/benevalibre/settings/base.py
+++ b/benevalibre/settings/base.py
@ -263,6 +263,22 @@ SESSION_COOKIE_PATH = APP_LOCATION
				@@ -263,6 +263,22 @@ SESSION_COOKIE_PATH = APP_LOCATION
 # https://docs.djangoproject.com/en/stable/ref/settings/#csrf-cookie-path
 CSRF_COOKIE_PATH = APP_LOCATION

+cookie_secure = (
+    True if env('COOKIE_SAMESITE', default='Lax') == 'None' else False
+)
+
+# https://docs.djangoproject.com/en/stable/ref/settings/#csrf-cookie-samesite
+CSRF_COOKIE_SAMESITE = env('COOKIE_SAMESITE', default='Lax')
+
+# https://docs.djangoproject.com/en/stable/ref/settings/#csrf-cookie-secure
+CSRF_COOKIE_SECURE = cookie_secure
+
+# https://docs.djangoproject.com/en/stable/ref/settings/#session-cookie-samesite
+SESSION_COOKIE_SAMESITE = env('COOKIE_SAMESITE', default='Lax')
+
+# https://docs.djangoproject.com/en/stable/ref/settings/#session-cookie-secure
+SESSION_COOKIE_SECURE = cookie_secure
+
 # ------------------------------------------------------------------------------
 # APPLICATION AND 3RD PARTY LIBRARY SETTINGS
 # ------------------------------------------------------------------------------
--- a/config.env.example
+++ b/config.env.example
@ -97,3 +97,6 @@
				@@ -97,3 +97,6 @@

 # Upstream source for new release checking
 #UPSTREAM_RELEASES=https://forge.cliss21.org/api/v1/repos/cliss21/benevalibre/tags
+
+# SameSite Policy for sending cookies (CSRF Token and Session). Should 'Lax' or 'Strict' for security reasons
+#COOKIE_SAMESITE=Lax