feat: add -dev flag for local HTTP testing
In development mode (-dev): - HSTS header is omitted (prevents browser caching HTTPS-only requirement) - CSRF cookie Secure flag is cleared (allows cookies over plain HTTP) - A warning is logged on startup Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
28f55960de
commit
8933055358
3 changed files with 10 additions and 1 deletions
1
csrf.go
1
csrf.go
|
|
@ -25,6 +25,7 @@ func setCSRFToken(w http.ResponseWriter) (string, error) {
|
|||
Path: "/",
|
||||
HttpOnly: false, // must be readable via form hidden field comparison
|
||||
SameSite: http.SameSiteStrictMode,
|
||||
Secure: !devMode,
|
||||
})
|
||||
return token, nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue