Sécurité des cookies

  • Apply the Cookie prefix : __Host-
    it will require to have the secure attribute + sent from a secure origin + does not include a Domain attribute + has the Path attribute set to /. In this way, these cookies can be seen as "domain-locked".

  • secure : prevent the cookie to be sent on http (only https)

  • httpOnly: the cookie is not accessible from javascript on the client

  • sameSite: 'strict',

  • si on est derrière un proxy qui utilise http pour se conecter a nodejs il faut prevenir express avec trust proxy

exemple qui marche bien :

    app.set('trust proxy', 1)
    var session = require('express-session');
    var sessionParameters = {
        secret: config.secret,
        resave: false,
        saveUninitialized: false,
        name: '__Host-session',
        cookie: {
            maxAge: 30 * 24 * 60 * 60 * 1000,
            secure: true,
            httpOnly: true,
            sameSite: 'strict',