mastodon/config/initializers/secureheaders.rb

SecureHeaders::Configuration.default do |config|
  config.cookies = {
    secure: true,
    httponly: true,
    samesite: {
      lax: true
    }
  }
  config.csp = SecureHeaders::OPT_OUT
end