From be4377a231c96844a6b989309030655f63b7cb9a Mon Sep 17 00:00:00 2001
From: Patrick Jentsch <pjentsch@sfb1288inf-Laptop.fritz.box>
Date: Wed, 17 Jun 2020 09:26:37 +0200
Subject: [PATCH] Cookie security only if https is set in the config.

---
 web/config.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/web/config.py b/web/config.py
index 5ccd09f1..4b153b16 100644
--- a/web/config.py
+++ b/web/config.py
@@ -6,11 +6,6 @@ import logging
 class Config:
     ''' ### Flask ### '''
     SECRET_KEY = os.environ.get('SECRET_KEY') or 'hard to guess string'
-    SESSION_COOKIE_SECURE = True
-
-    ''' ### Flask-Login ### '''
-    REMEMBER_COOKIE_HTTPONLY = True
-    REMEMBER_COOKIE_SECURE = True
 
     ''' ### Flask-Mail ### '''
     MAIL_SERVER = os.environ.get('MAIL_SERVER')
@@ -32,6 +27,7 @@ class Config:
     NOPAQUE_CONTACT = os.environ.get('NOPAQUE_CONTACT')
     NOPAQUE_MAIL_SENDER = os.environ.get('NOPAQUE_MAIL_SENDER')
     NOPAQUE_MAIL_SUBJECT_PREFIX = '[nopaque]'
+    NOPAQUE_PROTOCOL = os.environ.get('NOPAQUE_PROTOCOL')
     NOPAQUE_STORAGE = os.environ.get('NOPAQUE_STORAGE')
 
     os.makedirs('logs', exist_ok=True)
@@ -41,6 +37,15 @@ class Config:
                                '%(message)s',
                         datefmt='%Y-%m-%d %H:%M:%S', filemode='w')
 
+    ''' ### Security enhancements ### '''
+    if NOPAQUE_PROTOCOL == 'https':
+        ''' ### Flask ### '''
+        SESSION_COOKIE_SECURE = True
+
+        ''' ### Flask-Login ### '''
+        REMEMBER_COOKIE_HTTPONLY = True
+        REMEMBER_COOKIE_SECURE = True
+
     @staticmethod
     def init_app(app):
         proxy_fix_kwargs = {