From 941233341eca6c7f679b214313f8b8d972d78eec Mon Sep 17 00:00:00 2001
From: Vexx <advikdivekar@gmail.com>
Date: Sat, 23 May 2026 20:05:14 +0530
Subject: [PATCH] Harden session cookie with HttpOnly, Secure, and SameSite
 flags

Set httpOnly to block JS access, secure to enforce HTTPS-only
transmission in production, and sameSite to prevent cross-site
requests from carrying the session cookie. Add NODE_ENV=production
to the production Dockerfile so the secure flag activates correctly
when deployed.

Fixes #373
---
 backend/Dockerfile.prod | 3 +++
 backend/server.js       | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/backend/Dockerfile.prod b/backend/Dockerfile.prod
index 9f35a107..9c73e9ed 100644
--- a/backend/Dockerfile.prod
+++ b/backend/Dockerfile.prod
@@ -13,6 +13,9 @@ RUN npm install --production
 # Copy the rest of the application files
 COPY . .
 
+# Set production environment so cookie security flags are applied
+ENV NODE_ENV=production
+
 # Expose the port for the application
 EXPOSE 5000
 
diff --git a/backend/server.js b/backend/server.js
index 3f19f00b..68f4cc3e 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -20,6 +20,12 @@ app.use(session({
     secret: process.env.SESSION_SECRET,
     resave: false,
     saveUninitialized: false,
+    cookie: {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: process.env.NODE_ENV === 'production' ? 'strict' : 'lax',
+        maxAge: 24 * 60 * 60 * 1000,
+    },
 }));
 app.use(passport.initialize());
 app.use(passport.session());