From 1bf68f73c4bd063ae4fec0525a542ea710c4cbe0 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Mon, 18 Sep 2023 11:11:44 -0500
Subject: [PATCH] Docs security secure session cookie (#15328)

* Fix unescaped output in ipv6 search page

* Add SESSION_SECURE_COOKIE to the security recommendations page
---
 doc/General/Security.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/doc/General/Security.md b/doc/General/Security.md
index ea8e8bb807..b06e1e072c 100644
--- a/doc/General/Security.md
+++ b/doc/General/Security.md
@@ -10,10 +10,18 @@ should show that we take things seriously.
 As with any system of this nature, we highly recommend that you
 restrict access to the install via a firewall or VPN.
 
+Please ensure you keep your install [up to date](Updating.md).
+
+### Enable HTTPS
+
 It is also highly recommended that the Web interface is protected with
 an SSL certificate such as ones provided by [LetsEncrypt](http://www.letsencrypt.org).
 
-Please ensure you keep your install [up to date](Updating.md).
+### Secure Session Cookies
+
+Once you have enabled HTTPS for your install, you should set `SESSION_SECURE_COOKIE=true`
+in your .env file.  This will require cookies to be transferred by secure protocol and
+prevent any MiM attacks against it.
 
 ### Trusted Proxies