From 492061833760ba299411a99f6eec8f8f34b9c25d Mon Sep 17 00:00:00 2001
From: Frank Tovar <mail@franktovar.de>
Date: Tue, 24 Feb 2026 22:21:16 +0100
Subject: [PATCH] Document session cookie security behavior

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 5a61bf7..508dae4 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,7 @@ Fresh full-stack starter scaffold:
 ## Implemented Backend Scope
 
 - Auth: register, login, logout, current user context
+- Session cookie: `HttpOnly`, `SameSite=Strict`, `Secure` when served over HTTPS
 - Rulesets: d6 and dnd5e validation rules
 - Campaigns: create/list/read
 - Characters: create/update/activate/current-campaign list