SpringBoot 2.X定义全局cookie属性

对于最近项目安全扫描，存在关于Cookie的安全漏洞，如下图：

其中HTTP请求响应报文：

Content-Security-Policy: frame-ancestors 'self';
Set-Cookie: SDSESSIONID=OWQ3YTQ5MWEtY2NiMy00MjRkLWFhZTktYjA3ODBjZWY2YmFm; Path=/; HttpOnly; SameSite=Lax

这里需要补充Secure属性、设置HttpOnly、SameSite等调整
引入依赖：

<dependency>
    <groupId>org.springframework.session</groupId>
    <artifactId>spring-session-data-redis</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.session</groupId>
    <artifactId>spring-session-core</artifactId>
</dependency>

添加全局配置：

@Configuration
public class SpringSessionConfiguration {
    @Value("$server.servlet.session.cookie.name")
    private String cookieName;

    @Bean
    public CookieSerializer cookieSerializer() {
        DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer();
        cookieSerializer.setCookieName(cookieName);
        cookieSerializer.setUseSecureCookie(true);
        cookieSerializer.setUseHttpOnlyCookie(true);
        cookieSerializer.setSameSite("Strict");
        return cookieSerializer;
    }
}

之后，修复之后，重新请求接口，响应报文变化为：

....
set-cookie: SDSESSIONID=NzcyMDExYjYtNmE3Yy00NzliLWExYTUtN2NjMjQ1NDRjODA3; Path=/; Secure; HttpOnly; SameSite=Strict
....