further elaborate our usage of secure cookies on our services

Signed-off-by: r3g_5z <june@girlboss.ceo>
2023-03-19 02:08:59 -04:00 · 2023-03-19 02:08:59 -04:00 · 00e8afb085
commit 00e8afb085
parent b4077713f5
1 changed files with 4 additions and 3 deletions
--- a/static/features.html
+++ b/static/features.html
@ -1001,9 +1001,10 @@
                    <li>Static key pinning for our services in apps like Auditor</li>
                    <li>Our web services use robust OCSP stapling with Must-Staple</li>
                    <li>No persistent cookies or similar client-side state for anything other than
-                    login sessions, which are set up via SameSite=strict cookies and have
-                    server-side session tracking with the ability to log out of other
-                    sessions</li>
+                    login sessions, which are set up securely using <code>SameSite=Strict</code>,
+                    <code>Secure</code>, <code>HttpOnly</code>, and <code>Path=/</code> flags, prefixed with
+                    <code>__Host</code> and have server-side session tracking with the ability to log out
+                    of other sessions</li>
                    <li>scrypt-based password hashing (likely Argon2 when the available implementations
                    are more mature)</li>
                </ul>