module Roda::RodaPlugins::CookieFlags

  1. lib/roda/plugins/cookie_flags.rb

The cookie_flags plugin allows users to force specific cookie flags for all cookies set by the application. It can also be used to warn or raise for unexpected cookie flags.

The cookie_flags plugin deals with the following cookie flags:


Disallows access to the cookie from client-side scripts.


Restricts to which domains the cookie is sent.


Instructs the browser to only transmit the cookie over HTTPS.

This plugin ships in secure-by-default mode, where it enforces secure, httponly, samesite=strict cookies. You can disable enforcing specific flags using the following options:


Set to false to not enforce httponly flag.


Set to symbol or string to enforce a different samesite setting, or false to not enforce a specific samesite setting.


Set to false to not enforce secure flag.

For example, to enforce secure cookies and enforce samesite=lax, but not enforce an httponly flag:

plugin :cookie_flags, httponly: false, same_site: 'lax'

In general, overriding cookie flags using this plugin should be considered a stop-gap solution. Instead of overriding cookie flags, it’s better to fix whatever is setting the cookie flags incorrectly. You can use the :action option to modify the behavior:

# Issue warnings when modifying cookie flags
plugin :cookie_flags, action: :warn_and_modify

# Issue warnings for incorrect cookie flags without modifying cookie flags
plugin :cookie_flags, action: :warn

# Raise errors for incorrect cookie flags
plugin :cookie_flags, action: :raise

The recommended way to use the plugin is to use it only during testing with action: :raise. Then as long as you have fully covering tests, you can be sure the cookies set by your application use the correct flags.

Note that this plugin only affects cookies set by the application, and does not affect cookies set by middleware the application is using.


Public Class

  1. configure

Public Class methods

configure(app, opts=OPTS)
[show source]
   # File lib/roda/plugins/cookie_flags.rb
63 def self.configure(app, opts=OPTS)
64   previous = app.opts[:cookie_flags] || DEFAULTS
65   opts = app.opts[:cookie_flags] = previous.merge(opts)
67   case opts[:same_site]
68   when String, Symbol
69     opts[:same_site] = opts[:same_site].to_s.downcase.freeze
70     opts[:same_site_string] = "; samesite=#{opts[:same_site]}".freeze
71     opts[:secure] = true if opts[:same_site] == 'none'
72   end
74   opts.freeze
75 end