Merge pull request #2768 from ChrisMcKee/master

Enable CSRF cookie to has secure flag enabled

Author: thecodejunkie

src/Nancy/Security/Csrf.cs

@@ -26,7 +26,8 @@ public static class Csrf
         /// <remarks>This is disabled by default.</remarks>
         /// <param name="pipelines">The application pipelines.</param>
         /// <param name="cryptographyConfiguration">The cryptography configuration. This is <see langword="null" /> by default.</param>
-        public static void Enable(IPipelines pipelines, CryptographyConfiguration cryptographyConfiguration = null)
+        /// <param name="useSecureCookie">Set the CSRF cookie secure flag. This is <see langword="false"/> by default</param>
+        public static void Enable(IPipelines pipelines, CryptographyConfiguration cryptographyConfiguration = null, bool useSecureCookie = false)
         {
             cryptographyConfiguration = cryptographyConfiguration ?? CsrfApplicationStartup.CryptographyConfiguration;
 
@@ -44,7 +45,7 @@ public static void Enable(IPipelines pipelines, CryptographyConfiguration crypto
                         context.Response.Cookies.Add(new NancyCookie(
                             CsrfToken.DEFAULT_CSRF_KEY,
                             (string)context.Items[CsrfToken.DEFAULT_CSRF_KEY],
-                            true));
+                            true, useSecureCookie));
 
                         return;
                     }
@@ -64,7 +65,7 @@ public static void Enable(IPipelines pipelines, CryptographyConfiguration crypto
                     var tokenString = GenerateTokenString(cryptographyConfiguration);
 
                     context.Items[CsrfToken.DEFAULT_CSRF_KEY] = tokenString;
-                    context.Response.Cookies.Add(new NancyCookie(CsrfToken.DEFAULT_CSRF_KEY, tokenString, true));
+                    context.Response.Cookies.Add(new NancyCookie(CsrfToken.DEFAULT_CSRF_KEY, tokenString, true, useSecureCookie));
                 });
 
             pipelines.AfterRequest.AddItemToEndOfPipeline(postHook);