[feature] Start adding advanced configuration options, starting with samesite (#628)

* fix incorrect port being used for db

* start adding advanced config flags

* use samesite lax by default

example/config.yaml

@@ -428,3 +428,30 @@ syslog-protocol: "udp"
 # String. Address:port to send syslog logs to. Leave empty to connect to local syslog.
 # Default: "localhost:514"
 syslog-address: "localhost:514"
+
+#############################
+##### ADVANCED SETTINGS #####
+#############################
+
+# Advanced settings pertaining to http timeouts, security, cookies, and more.
+#
+# ONLY ADJUST THESE SETTINGS IF YOU KNOW WHAT YOU ARE DOING!
+#
+# Most users will not need to (and should not) touch these settings, since
+# they are set to sensible defaults, and may break if they are changed.
+#
+# Nevertheless, they are provided for the sake of allowing server admins to
+# tweak their instance for performance or security reasons.
+
+# String. Value of the SameSite attribute of cookies set by GoToSocial.
+# Defaults to 'lax' to ensure that the OIDC flow does not break, which is
+# fine in most cases. If you want to harden your instance against CSRF attacks
+# and don't mind if some login-related things might break, you can set this
+# to 'strict' instead.
+#
+# For an overview of what this does, see:
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+#
+# Options: ["lax", "strict"]
+# Default: "lax"
+advanced-cookies-samesite: "lax"