Secure cookie flags + CSRF for our own POST forms (todo §4); SECURE_COOKIES toggle on session/CSRF cookies; csrf.ts signed double-submit token + body.ts form reader; logout is now a CSRF-guarded POST form

2026-06-18 11:12:32 +02:00
parent dec55f85a6
commit 4b2173cb84
21 changed files with 241 additions and 26 deletions
--- a/compose.yml
+++ b/compose.yml
@@ -10,6 +10,7 @@ services:
    environment:
      CACHE_TEMPLATES: "true"
      REQUIRE_SECURE_SECRETS: "true"
+      SECURE_COOKIES: "true" # prod serves https — mark session/CSRF cookies Secure
    # Wait for the services config.ts talks to (kratos + keto) + the one-shot bootstrap
    # (admin + JWKS seed). Hydra is post-MVP (§6), not in config.ts, so web skips it.
    depends_on: