Secure way to configure lucia when dealing with multiple apps running in different sub-domains

[prabak]

Hi!

I am planning to have 3 apps running on a particular domain (i.e. myapp.com).

1. auth.myapp.com
2. web.myapp.com
3. api.myapp.com

The nextJs app running on auth.myapp.com will handle the authentication that will be shared by both the api.myapp.com (express server) and web.myapp.com (nextJs app).

is the following configuration for myapp.com domain correct?

sessionCookie: {
		attributes: {
			domain: 'myapp.com',
			sameSite: 'strict',
		}
	},
csrfProtection: {
    allowedSubdomains: ['auth', 'web', 'api']
}

Is there any other configuration that I am missing in terms of security?

thank you

[pilcrowonpaper]

Setting SameSite: Strict means your users won't be logged in if they access your website via a link. That's fine for say banks, but I don't think that's what you want for the majority of websites.

Assuming Lucia will be initialized in auth.myapp.com, you can omit auth since that's included by default.

csrfProtection: {
    allowedSubdomains: ['web', 'api']
}

Domain cookie attribute should only be set if you're planning to read session cookies on the server on web.myapp.com and api.myapp.com.

[prabak]

thank you