<@!793412957328769024> I have updated the supertok...
# support-questions-legacy
r
@User I have updated the supertokens-website package to include the
secure
flag. Please delete yarn.lock and run
yarn upgrade
to get that change. Things should work now. A note about session behaviour on safari: We are using antiCsrf VIA_TOKEN for CSRF protection. This is cause your CORS rules for APIs is probably set to allow any origin to query them (cause you are using an iframe) - if this is not true, then you can remove the
antiCsrf
param from your backend config, and ignore this paragraph (in which case we will be using csrf protection via custom headers). If this is true, it means each request sends an anti-csrf token for CSRF protection. This token is store in frontend cookies. Now safari, caps the lifetime of frontend cookies to 7 days (privacy feature). So that means, if a user is using safari, and they don't refresh a session for 7 days, they will get logged out (only for safari). If this is an issue for you, you can set
antiCsrf
to "NONE", and use another anti csrf method that involves injecting the CSRF token in the html (in conjunction to our lib).