|
|
|
|
|
|
by colinclerk
1344 days ago
|
|
|
SameSite=Lax plus CORS does the trick. Block requests where origin=helpdesk.mysite.com. Also, since you're concerned about subdomain attacks, make sure you set the cookie on a subdomain rather than the naked domain to prevent it from leaking. Edit: you can put it on the naked domain if your app is on the naked domain. If you do that, do not set the Domain= attribute in your Set-Cookie because that will cause it to leak to subdomains. |
|
|