[email protected]. Closes #3318

Author: hueniverse

API.md

@@ -1380,6 +1380,8 @@ for performing injections, with some additional options and response properties:
         - `close` - if `true`, emits a `'close'` event after payload transmission (if any).
           Defaults to `false`.
         - `end` - if `false`, does not end the stream. Defaults to `true`.
+    - `validate` - if `false`, the `options` inputs are not validated. This is recommended for run-time
+      usage of `inject()` to make it perform faster where input validation can be tested separately.
 - `callback` - the callback function with signature `function(res)` where:
     - `res` - the response object where:
         - `statusCode` - the HTTP status code.
@@ -1859,12 +1861,12 @@ across multiple requests. Registers a cookie definitions where:
 - `options` - are the optional cookie settings:
     - `ttl` - time-to-live in milliseconds. Defaults to `null` (session time-life - cookies are
       deleted when the browser is closed).
-    - `isSecure` - sets the 'Secure' flag. Defaults to `false`.
-    - `isHttpOnly` - sets the 'HttpOnly' flag. Defaults to `false`.
+    - `isSecure` - sets the 'Secure' flag. Defaults to `true`.
+    - `isHttpOnly` - sets the 'HttpOnly' flag. Defaults to `true`.
     - `isSameSite` - sets the 'SameSite' flag where the value must be one of:
-        - `false` - no flag (this is the default value).
-        - `'Strict'` - sets the value to `'Strict'`,
-        - `'Lax'` - sets the value to `'Lax'`,
+        - `false` - no flag.
+        - `'Strict'` - sets the value to `'Strict'` (this is the default value).
+        - `'Lax'` - sets the value to `'Lax'`.
     - `path` - the path scope. Defaults to `null` (no path).
     - `domain` - the domain scope. Defaults to `null` (no domain).
     - `autoValue` - if present and the cookie was not received from the client or explicitly set by

npm-shrinkwrap.json

@@ -33,7 +33,7 @@
     "mimos": "3.x.x",
     "podium": "^1.2.x",
     "shot": "3.x.x",
-    "statehood": "4.x.x",
+    "statehood": "5.x.x",
     "subtext": "^4.2.x",
     "topo": "2.x.x"
   },

package.json

@@ -75,7 +75,7 @@ describe('Response', () => {
             expect(res.statusMessage).to.equal('Super');
             expect(res.headers['cache-control']).to.equal('max-age=1, must-revalidate, private');
             expect(res.headers['content-type']).to.equal('text/plain; something=something; charset=ISO-8859-1');
-            expect(res.headers['set-cookie']).to.equal(['abc=123', 'sid=YWJjZGVmZzEyMzQ1Ng==', 'other=something; Secure', 'x=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT', 'test=123', 'empty=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/path', 'always=present']);
+            expect(res.headers['set-cookie']).to.equal(['abc=123', 'sid=YWJjZGVmZzEyMzQ1Ng==; Secure; HttpOnly; SameSite=Strict', 'other=something; Secure; HttpOnly; SameSite=Strict', 'x=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict', 'test=123; Secure; HttpOnly; SameSite=Strict', 'empty=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Path=/path', 'always=present; Secure; HttpOnly; SameSite=Strict']);
             expect(res.headers.vary).to.equal('x-control,accept-encoding');
             expect(res.headers.combo).to.equal('o-k');
             done();
@@ -347,7 +347,7 @@ describe('Response', () => {
             server.inject('/', (res) => {
 
                 expect(res.statusCode).to.equal(200);
-                expect(res.headers['set-cookie']).to.equal(['session=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; Path=/unset']);
+                expect(res.headers['set-cookie']).to.equal(['session=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict; Path=/unset']);
                 done();
             });
         });
@@ -734,7 +734,7 @@ describe('Response', () => {
 
                 expect(res.result).to.equal('x');
                 expect(res.headers.xcustom).to.equal('other value');
-                expect(res.headers['set-cookie']).to.equal(['a=1', 'b=2']);
+                expect(res.headers['set-cookie']).to.equal(['a=1', 'b=2; Secure; HttpOnly; SameSite=Strict']);
                 done();
             });
         });

test/response.js

@@ -170,7 +170,7 @@ describe('state', () => {
         server.inject({ method: 'GET', url: '/', headers: { cookie: 'a=x' } }, (res) => {
 
             expect(res.statusCode).to.equal(200);
-            expect(res.headers['set-cookie'][0]).to.equal('a=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT');
+            expect(res.headers['set-cookie'][0]).to.equal('a=; Max-Age=0; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=Strict');
             done();
         });
     });
@@ -190,7 +190,7 @@ describe('state', () => {
         server.inject('/', (res) => {
 
             expect(res.statusCode).to.equal(200);
-            expect(res.headers['set-cookie']).to.equal(['always=present']);
+            expect(res.headers['set-cookie']).to.equal(['always=present; Secure; HttpOnly; SameSite=Strict']);
             done();
         });
     });
@@ -210,7 +210,7 @@ describe('state', () => {
         server.inject('/', (res) => {
 
             expect(res.statusCode).to.equal(200);
-            expect(res.headers['set-cookie']).to.equal(['onecookie=yes', 'twocookie=no', 'always=present']);
+            expect(res.headers['set-cookie']).to.equal(['onecookie=yes', 'twocookie=no', 'always=present; Secure; HttpOnly; SameSite=Strict']);
             done();
         });
     });
@@ -235,7 +235,7 @@ describe('state', () => {
         server.inject('/sweet', (res) => {
 
             expect(res.statusCode).to.equal(200);
-            expect(res.headers['set-cookie']).to.equal(['always=sweet']);
+            expect(res.headers['set-cookie']).to.equal(['always=sweet; Secure; HttpOnly; SameSite=Strict']);
             done();
         });
     });
@@ -280,7 +280,7 @@ describe('state', () => {
         server.inject('/', (res) => {
 
             expect(res.statusCode).to.equal(200);
-            expect(res.headers['set-cookie']).to.equal(['a=b']);
+            expect(res.headers['set-cookie']).to.equal(['a=b; Secure; HttpOnly; SameSite=Strict']);
             done();
         });
     });