Merge pull request #182 from HE-Arc/sp-csrf-protection

adding SameSite=Strict
HE-Arc · May 1, 2024 · f6928bc · f6928bc
2 parents 3795ab5 + 144c957
commit f6928bc
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/frontend/src/api_client.js b/frontend/src/api_client.js
@@ -192,7 +192,7 @@ export default
         if (response.status === 200) {
             // set cookie
             let date = new Date(response.data.expires).toUTCString()
-            document.cookie = `access_token=Token ${response.data.token};secure;expires=${date};`; // TODO adding expires date from backend
+            document.cookie = `access_token=Token ${response.data.token};expires=${date};SameSite=Strict;Secure;`; // TODO adding expires date from backend
 
             // set axios header
             axios.defaults.headers.common['Authorization'] = "Token " + response.data.token;
@@ -223,7 +223,7 @@ export default
      */
     static async logoutUser() {
         // remove cookie
-        document.cookie = `access_token=; expires=Thu, 01 Jan 1970 00:00:00 UTC; secure`;
+        document.cookie = `access_token=; expires=Thu, 01 Jan 1970 00:00:00 UTC;`;
 
         // remove axios header
         delete axios.defaults.headers.common['Authorization'];