chore(cookies): cookies http only

app/controllers/agent_connect/agent_controller.rb

@@ -12,8 +12,8 @@ class AgentConnect::AgentController < ApplicationController
   def login
     uri, state, nonce = AgentConnectService.authorization_uri
 
-    cookies.encrypted[STATE_COOKIE_NAME] = { value: state, secure: Rails.env.production? }
-    cookies.encrypted[NONCE_COOKIE_NAME] = { value: nonce, secure: Rails.env.production? }
+    cookies.encrypted[STATE_COOKIE_NAME] = { value: state, secure: Rails.env.production?, httponly: true }
+    cookies.encrypted[NONCE_COOKIE_NAME] = { value: nonce, secure: Rails.env.production?, httponly: true }
 
     redirect_to uri, allow_other_host: true
   end

app/controllers/application_controller.rb

@@ -117,7 +117,7 @@ class ApplicationController < ActionController::Base
 
   def set_locale(locale)
     if locale && locale.to_sym.in?(I18n.available_locales)
-      cookies[:locale] = { value: locale, secure: Rails.env.production? }
+      cookies[:locale] = { value: locale, secure: Rails.env.production?, httponly: true }
       if user_signed_in?
         current_user.update(locale: locale)
       end

app/controllers/instructeurs/procedures_controller.rb

@@ -249,6 +249,7 @@ module Instructeurs
       cookies.encrypted[cookies_export_key] = {
         value: DateTime.current,
         expires: Export::MAX_DUREE_GENERATION + Export::MAX_DUREE_CONSERVATION_EXPORT,
+        httponly: true,
         secure: Rails.env.production?
       }
 

config/initializers/session_store.rb

@@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store, key: '_DS_session', secure: Rails.env.production?
+Rails.application.config.session_store :cookie_store, key: '_DS_session', secure: Rails.env.production?, httponly: true