From 00e8afb0858e5e31e73b34799899d21713529631 Mon Sep 17 00:00:00 2001
From: r3g_5z <june@girlboss.ceo>
Date: Sun, 19 Mar 2023 02:08:59 -0400
Subject: [PATCH] further elaborate our usage of secure cookies on our services

Signed-off-by: r3g_5z <june@girlboss.ceo>
---
 static/features.html | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/static/features.html b/static/features.html
index 86ddd833..591281aa 100644
--- a/static/features.html
+++ b/static/features.html
@@ -1001,9 +1001,10 @@
                     <li>Static key pinning for our services in apps like Auditor</li>
                     <li>Our web services use robust OCSP stapling with Must-Staple</li>
                     <li>No persistent cookies or similar client-side state for anything other than
-                    login sessions, which are set up via SameSite=strict cookies and have
-                    server-side session tracking with the ability to log out of other
-                    sessions</li>
+                    login sessions, which are set up securely using <code>SameSite=Strict</code>,
+                    <code>Secure</code>, <code>HttpOnly</code>, and <code>Path=/</code> flags, prefixed with
+                    <code>__Host</code> and have server-side session tracking with the ability to log out
+                    of other sessions</li>
                     <li>scrypt-based password hashing (likely Argon2 when the available implementations
                     are more mature)</li>
                 </ul>