Harden session cookie security with configurable cookie flags

backend/app/config.py

@@ -4,6 +4,8 @@ Follows pydantic-settings patterns: all values are prefixed with BANGUI_
 and validated at startup via the Settings singleton.
 """
 
+from typing import Literal
+
 from pydantic import Field, field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
@@ -47,6 +49,25 @@ class Settings(BaseSettings):
         default="UTC",
         description="IANA timezone name used when displaying timestamps in the UI.",
     )
+    session_cookie_httponly: bool = Field(
+        default=True,
+        description=(
+            "Mark the session cookie as HttpOnly so browser scripts cannot access it."
+        ),
+    )
+    session_cookie_samesite: Literal["lax", "strict", "none"] = Field(
+        default="lax",
+        description=(
+            "SameSite policy for the session cookie. "
+            "Use 'lax', 'strict', or 'none' depending on deployment requirements."
+        ),
+    )
+    session_cookie_secure: bool = Field(
+        default=False,
+        description=(
+            "Set the session cookie Secure flag when the backend is served over HTTPS."
+        ),
+    )
     cors_allowed_origins: str | list[str] = Field(
         default_factory=list,
         description=(