From a33e724199cb61b0d9a43786ba3638b3a20df726 Mon Sep 17 00:00:00 2001
From: riwiwa <rileyman35@gmail.com>
Date: Sun, 8 Feb 2026 21:46:50 -0800
Subject: [PATCH] add CSRF protection, add cookie security

---
 web/web.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/web/web.go b/web/web.go
index b9492be..e2730f6 100644
--- a/web/web.go
+++ b/web/web.go
@@ -204,6 +204,8 @@ func createAccount(w http.ResponseWriter, r *http.Request) {
 				Value:    sessionID,
 				Path:     "/",
 				HttpOnly: true,
+				Secure:   true,
+				SameSite: http.SameSiteLaxMode,
 				MaxAge:   86400 * 30, // 30 days
 			})
 			http.Redirect(w, r, "/profile/"+username, http.StatusSeeOther)
@@ -248,6 +250,8 @@ func loginSubmit(w http.ResponseWriter, r *http.Request) {
 				Value:    sessionID,
 				Path:     "/",
 				HttpOnly: true,
+				Secure:   true,
+				SameSite: http.SameSiteLaxMode,
 				MaxAge:   86400 * 30, // 30 days
 			})
 			http.Redirect(w, r, "/profile/"+username, http.StatusSeeOther)
@@ -503,5 +507,6 @@ func Start() {
 	r.Post("/import/lastfm", importLastFMHandler)
 	r.Get("/import/lastfm/progress", importLastFMProgressHandler)
 	fmt.Printf("WebUI starting on %s\n", addr)
-	http.ListenAndServe(addr, r)
+	prot := http.NewCrossOriginProtection()
+	http.ListenAndServe(addr, prot.Handler(r))
 }