From 3359cb8c019a36443b7bcaf9a151a59bae78b592 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=96=BB=E5=8B=87=E7=A5=A5?= <237899745@qq.com>
Date: Tue, 11 Nov 2025 13:36:12 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AE=89=E5=85=A8:=20=E4=B8=BACookie=E6=B7=BB?=
 =?UTF-8?q?=E5=8A=A0secure=E5=92=8CsameSite=E5=AE=89=E5=85=A8=E6=A0=87?=
 =?UTF-8?q?=E5=BF=97?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

问题描述:
- Cookie仅设置了httpOnly，缺少其他安全标志
- 未启用secure标志，HTTPS环境下cookie可能被劫持
- 缺少sameSite保护，存在CSRF风险

修复内容:
1. 添加secure标志，从环境变量COOKIE_SECURE控制
   - HTTPS环境设置为true
   - HTTP环境设置为false
2. 添加sameSite: 'lax'防止CSRF攻击
   - lax模式在导航时允许cookie
   - 阻止第三方站点的POST请求携带cookie
3. 保留httpOnly: true防止XSS攻击
4. 保留maxAge: 7天的过期时间

配置说明:
- .env中设置 COOKIE_SECURE=true (HTTPS环境)
- .env中设置 COOKIE_SECURE=false (HTTP环境)

影响范围: 用户登录认证cookie安全性

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 backend/server.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/backend/server.js b/backend/server.js
index 446014a..4696767 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -199,6 +199,8 @@ app.post('/api/login',
 
       res.cookie('token', token, {
         httpOnly: true,
+        secure: process.env.COOKIE_SECURE === 'true', // HTTPS环境下启用
+        sameSite: 'lax', // 防止CSRF攻击
         maxAge: 7 * 24 * 60 * 60 * 1000 // 7天
       });