Http Only Cookie Default

CHANGELOG.md

@@ -1,11 +1,14 @@
 
-#### **2.2.3 (Unreleased)**
+#### **2.3.0 (Unreleased)**
 
 FEATURES:
 * Added the ability to use a "any" operation on the roles rather then just "and" with the inclusion of a `require-any-role` [#PR389](https://github.com/gambol99/keycloak-proxy/pull/389)
 * Added a `--enable-request-id` option to inject a request id into the upstream request [#PR392](https://github.com/gambol99/keycloak-proxy/pull/392)
 * Added the ability for the proxy to generate self-signed certificates for use via the `--enable-self-signed-tls` [#PR394](https://github.com/gambol99/keycloak-proxy/pull/394)
 
+BREAK CHANGES
+* Added the http-cookie-only option as default true [#PR397](https://github.com/gambol99/keycloak-proxy/pull/397)
+
 #### **2.2.2**
 
 FEATURES:

config.go

@@ -42,14 +42,15 @@ func newDefaultConfig() *Config {
 		EnableDefaultDeny:           true,
 		EnableSessionCookies:        true,
 		EnableTokenHeader:           true,
-		SelfSignedTLSHostnames:      hostnames,
-		SelfSignedTLSExpiration:     3 * time.Hour,
+		HTTPOnlyCookie:              true,
 		Headers:                     make(map[string]string),
 		LetsEncryptCacheDir:         "./cache/",
 		MatchClaims:                 make(map[string]string),
 		OAuthURI:                    "/oauth",
 		OpenIDProviderTimeout:       30 * time.Second,
 		PreserveHost:                false,
+		SelfSignedTLSExpiration:     3 * time.Hour,
+		SelfSignedTLSHostnames:      hostnames,
 		RequestIDHeader:             "X-Request-ID",
 		ResponseHeaders:             make(map[string]string),
 		SecureCookie:                true,