Secure cookie flags + CSRF for our own POST forms (todo §4); SECURE_COOKIES toggle on session/CSRF cookies; csrf.ts signed double-submit token + body.ts form reader; logout is now a CSRF-guarded POST form

2026-06-18 11:12:32 +02:00
parent dec55f85a6
commit 4b2173cb84
21 changed files with 241 additions and 26 deletions
--- a/compose.override.yml
+++ b/compose.override.yml
@@ -7,6 +7,7 @@ services:
    environment:
      CACHE_TEMPLATES: "false"
      REQUIRE_SECURE_SECRETS: "false"
+      SECURE_COOKIES: "false" # dev serves http — Secure cookies wouldn't be sent
    volumes:
      - .:/app
      - /app/node_modules