mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-11-26 02:10:19 +08:00
92922288dd
Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207.
89 lines
3.4 KiB
PHP
89 lines
3.4 KiB
PHP
<?php
|
|
|
|
use \Illuminate\Support\Str;
|
|
|
|
/**
|
|
* Session configuration options.
|
|
*
|
|
* Changes to these config files are not supported by BookStack and may break upon updates.
|
|
* Configuration should be altered via the `.env` file or environment variables.
|
|
* Do not edit this file unless you're happy to maintain any changes yourself.
|
|
*/
|
|
|
|
return [
|
|
|
|
// Default session driver
|
|
// Options: file, cookie, database, redis, memcached, array
|
|
'driver' => env('SESSION_DRIVER', 'file'),
|
|
|
|
// Session lifetime, in minutes
|
|
'lifetime' => env('SESSION_LIFETIME', 120),
|
|
|
|
// Expire session on browser close
|
|
'expire_on_close' => false,
|
|
|
|
// Encrypt session data
|
|
'encrypt' => false,
|
|
|
|
// Location to store session files
|
|
'files' => storage_path('framework/sessions'),
|
|
|
|
// Session Database Connection
|
|
// When using the "database" or "redis" session drivers, you can specify a
|
|
// connection that should be used to manage these sessions. This should
|
|
// correspond to a connection in your database configuration options.
|
|
'connection' => null,
|
|
|
|
// Session database table, if database driver is in use
|
|
'table' => 'sessions',
|
|
|
|
// Session Cache Store
|
|
// When using the "apc" or "memcached" session drivers, you may specify a
|
|
// cache store that should be used for these sessions. This value must
|
|
// correspond with one of the application's configured cache stores.
|
|
'store' => null,
|
|
|
|
// Session Sweeping Lottery
|
|
// Some session drivers must manually sweep their storage location to get
|
|
// rid of old sessions from storage. Here are the chances that it will
|
|
// happen on a given request. By default, the odds are 2 out of 100.
|
|
'lottery' => [2, 100],
|
|
|
|
// Session Cookie Name
|
|
// Here you may change the name of the cookie used to identify a session
|
|
// instance by ID. The name specified here will get used every time a
|
|
// new session cookie is created by the framework for every driver.
|
|
'cookie' => env('SESSION_COOKIE_NAME', 'bookstack_session'),
|
|
|
|
// Session Cookie Path
|
|
// The session cookie path determines the path for which the cookie will
|
|
// be regarded as available. Typically, this will be the root path of
|
|
// your application but you are free to change this when necessary.
|
|
'path' => '/',
|
|
|
|
// Session Cookie Domain
|
|
// Here you may change the domain of the cookie used to identify a session
|
|
// in your application. This will determine which domains the cookie is
|
|
// available to in your application. A sensible default has been set.
|
|
'domain' => env('SESSION_DOMAIN', null),
|
|
|
|
// HTTPS Only Cookies
|
|
// By setting this option to true, session cookies will only be sent back
|
|
// to the server if the browser has a HTTPS connection. This will keep
|
|
// the cookie from being sent to you if it can not be done securely.
|
|
'secure' => env('SESSION_SECURE_COOKIE', null)
|
|
?? Str::startsWith(env('APP_URL'), 'https:'),
|
|
|
|
// HTTP Access Only
|
|
// Setting this value to true will prevent JavaScript from accessing the
|
|
// value of the cookie and the cookie will only be accessible through the HTTP protocol.
|
|
'http_only' => true,
|
|
|
|
// Same-Site Cookies
|
|
// This option determines how your cookies behave when cross-site requests
|
|
// take place, and can be used to mitigate CSRF attacks. By default, we
|
|
// do not enable this as other CSRF protection services are in place.
|
|
// Options: lax, strict, none
|
|
'same_site' => 'lax',
|
|
];
|