You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SecureHeaders supports `Secure`, `HttpOnly` and [`SameSite`](https://tools.ietf.org/html/draft-west-first-party-cookies-06) cookies. These can be defined in the form of a boolean, or as a Hash for more refined configuration.
274
+
275
+
__Note__: Regardless of the configuration specified, Secure cookies are only enabled for HTTPS requests.
276
+
277
+
#### Boolean-based configuration
278
+
279
+
Boolean-based configuration is intended to globally enable or disable a specific cookie attribute.
280
+
281
+
```ruby
282
+
config.cookies = {
283
+
secure:true, # mark all cookies as Secure
284
+
httponly:false, # do not mark any cookies as HttpOnly
285
+
}
286
+
```
287
+
288
+
#### Hash-based configuration
289
+
290
+
Hash-based configuration allows for fine-grained control.
291
+
292
+
```ruby
293
+
config.cookies = {
294
+
secure: { except: ['_guest'], # mark all but the `_guest` cookie as Secure
295
+
httponly: { only: ['_rails_session'] }, # only mark the `_rails_session` cookie as HttpOnly
296
+
}
297
+
```
298
+
299
+
#### SameSite
300
+
301
+
SameSite cookies permit either `Strict` or `Lax` enforcement mode options.
302
+
303
+
```ruby
304
+
config.cookies = {
305
+
samesite:true# mark all cookies as SameSite (user agents default this to `Strict` enforcement mode)
306
+
}
307
+
```
308
+
309
+
`Strict` and `Lax` enforcement can also be specified using a Hash.
310
+
311
+
```ruby
312
+
config.cookies = {
313
+
samesite: {
314
+
strict: { only: [`_rails_session`] },
315
+
lax: { only: [`_guest`] }
316
+
}
317
+
}
318
+
```
319
+
267
320
### Using with Sinatra
268
321
269
322
Here's an example using SecureHeaders for Sinatra applications:
0 commit comments