From 108acdf77f31ba354da5b16fa229d58e2c9fa22d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mili=C4=87?= <marko@tesobe.com>
Date: Tue, 14 Nov 2023 15:49:35 +0100
Subject: [PATCH] feature/Add props set_response_header_Set-Cookie

---
 src/main/resources/props/sample.props.template |  4 +++-
 src/main/scala/bootstrap/liftweb/Boot.scala    | 11 +++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/main/resources/props/sample.props.template b/src/main/resources/props/sample.props.template
index 36387c7a..7d9b2ddf 100644
--- a/src/main/resources/props/sample.props.template
+++ b/src/main/resources/props/sample.props.template
@@ -185,4 +185,6 @@ session_inactivity_timeout_in_minutes = 30
 
 
 # Please note that depricated name ot this props is: language_tag
-default_locale = en_GB
\ No newline at end of file
+default_locale = en_GB
+
+set_response_header_Set-Cookie = "Path=/; HttpOnly; Secure"
\ No newline at end of file
diff --git a/src/main/scala/bootstrap/liftweb/Boot.scala b/src/main/scala/bootstrap/liftweb/Boot.scala
index 2033c34d..6eb439b8 100755
--- a/src/main/scala/bootstrap/liftweb/Boot.scala
+++ b/src/main/scala/bootstrap/liftweb/Boot.scala
@@ -247,5 +247,16 @@ class Boot extends MdcLoggable{
       // Do not change default value
     }
 
+    val setCookieHeader: (String, String) = Props.get("set_response_header_Set-Cookie") match {
+      case Full(value) => ("Set-Cookie", value)
+      case _ => ("Set-Cookie", "Path=/; HttpOnly; Secure")
+    }
+    //for XSS vulnerability, set X-Frame-Options header as DENY
+    LiftRules.supplementalHeaders.default.set(
+      ("X-Frame-Options", "DENY") ::
+        setCookieHeader ::
+        Nil
+    )
+
   }
 }