From 4413b37ce891e7ae41b565bddb4e8029dfa7baab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=B0=A2=E4=BA=9A=E6=98=95?= <1549469775@qq.com>
Date: Thu, 4 Sep 2025 10:00:52 +0800
Subject: [PATCH] =?UTF-8?q?fix(session):=20=E5=B0=86sameSite=E7=AD=96?=
 =?UTF-8?q?=E7=95=A5=E6=9B=B4=E6=94=B9=E4=B8=BAstrict=E4=BB=A5=E5=A2=9E?=
 =?UTF-8?q?=E5=BC=BA=E5=AE=89=E5=85=A8=E6=80=A7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 将session配置中的sameSite属性从lax更改为strict
- 提高了跨站请求伪造(CSRF)防护力度
- 参考了相关安全最佳实践链接
---
 src/middlewares/Session/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/middlewares/Session/index.js b/src/middlewares/Session/index.js
index 266694c..47da2a2 100644
--- a/src/middlewares/Session/index.js
+++ b/src/middlewares/Session/index.js
@@ -9,7 +9,7 @@ export default (app) => {
     rolling: false,
     renew: false,
     secure: process.env.NODE_ENV === "production" && process.env.HTTPS_ENABLE === "on",
-    sameSite: "lax", // https://scotthelme.co.uk/csrf-is-dead/
+    sameSite: "strict", // https://scotthelme.co.uk/csrf-is-dead/
   };
   return session(CONFIG, app);
 };