New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cookies must be set with the Secure flag in HTTPS mode #817

Closed
hardware opened this Issue May 1, 2018 · 2 comments

Comments

2 participants
@hardware

hardware commented May 1, 2018

All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information. Session cookies sent from secure sites must be explicitly marked as secure to prevent being obtained by active network attackers.

/*
|--------------------------------------------------------------------------
| HTTPS Only Cookies
|--------------------------------------------------------------------------
|
| By setting this option to true, session cookies will only be sent back
| to the server if the browser has a HTTPS connection. This will keep
| the cookie from being sent to you if it can not be done securely.
|
*/
'secure' => false,

In HTTPS mode, all cookies must be set with the Secure flag, indicating that they should only be sent over an encrypted channel.

Can you add this parameter to the .env file to permit administrators to change the value ? Like this :

# .env

SESSION_COOKIE_SECURE=true

Hardenize report for demo.bookstackapp.com :

https://www.hardenize.com/report/demo.bookstackapp.com/1525132852#www_cookies

I use this workaround in my nginx virtual host until you make this change :

# Bookstack.conf

proxy_cookie_path / "/; Secure";

http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_path

@ssddanbrown

This comment has been minimized.

Member

ssddanbrown commented May 12, 2018

Thanks @hardware for opening this issue.
I agree this would be good to have as a configurable option. Have marked to be in the next release.

@ssddanbrown

This comment has been minimized.

Member

ssddanbrown commented May 20, 2018

Now implemented, Will be in the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment