Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Cookies must be set with the Secure flag in HTTPS mode #817
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information. Session cookies sent from secure sites must be explicitly marked as secure to prevent being obtained by active network attackers.
In HTTPS mode, all cookies must be set with the Secure flag, indicating that they should only be sent over an encrypted channel.
Can you add this parameter to the .env file to permit administrators to change the value ? Like this :
# .env SESSION_COOKIE_SECURE=true
Hardenize report for demo.bookstackapp.com :
I use this workaround in my nginx virtual host until you make this change :
# Bookstack.conf proxy_cookie_path / "/; Secure";