Skip to content

Commit db620fb

Browse files
committed
Fix A+ rating when checking with Nextcloud Security Scan.
Due to commit 33d7019 session.cookie_secure=true is not set when accessing /status.php. This results in a degration from A+ to A rating due to missing __Host prefix for nc_sameSiteCookielax and nc_sameSiteCookiestrict cookies.
1 parent 051e46a commit db620fb

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

lib/base.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -366,6 +366,9 @@ public static function initSession(): void {
366366
// Monitoring endpoints can quickly flood session handlers
367367
// and 'status.php' doesn't require sessions anyway
368368
if (str_ends_with($request->getScriptName(), '/status.php')) {
369+
if ($request->getServerProtocol() === 'https') {
370+
ini_set('session.cookie_secure', 'true');
371+
}
369372
return;
370373
}
371374

0 commit comments

Comments
 (0)