Skip to content
No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



  • This project demonstrates an important security flaw on Azure application services (also called Azure-websites) currently live since at least the 24th of November 2019.

  • When the CORS settings are used to limit CSRF on the app service and when a server responds with a set-cookie without the secure flag, like this:

'Set-Cookie': `randomCookie=test; Path=/; HttpOnly; SameSite=Lax`,
  • Azure PaaS is caching the cookie value and provides the value on every future server calls.

  • As a result, whenever the server is called by clients without any local cookie, the server gets the latest set cookie value in the request header as if it was a global variable.

  • This does not occur when the secure flag is present when setting the cookie or if CORS settings are not used. This security flaw is a major concern as cookies are used for session management (session cookie, cookie holding access token, ...).

  • The nodejs App is very simple: and does not contain any NPM dependencies, pure NodeJS.

  • Node 10 LTS is used with the default Oryx deployment. App service is used here as Paas.

  • Kestrel web server seems to be used (seen in the response header).

  • This issue cannot be reproduced on local nor in a dedicated VM. Only in Azure web-app.

  • As soon as I discovered this bug, I created a severity A case on Monday 2nd of December 2019 to the support.

  • Microsoft has created a public issue on MS Github following my request:

Steps to reproduce

  • Create a new web app using NodeJS 10 LTS + Linux



  • This issue occurs when the CORS settings are used. If you have at least one entry in this page (which is the case by default, you get '*'), the issue happens:


You can’t perform that action at this time.