New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set Secure Attribute on Session Cookie #6912
Comments
See #6907 for more on what is being requested here. |
Here's the three locations where this enhancement will probably need to touch:
|
And here is a brief overview of why this is being asked. https://resources.infosecinstitute.com/topics/general-security/securing-cookies-httponly-secure-flags Note: Because Kiali's endpoint can be configured to use http only (as opposed to https) we'll want to be able to have the cookie sent over http. Thus the Secure flag should be set on the cookie only if Kiali's endpoint is specifically configured for https; it should not be set when Kiali's endpoint is configured for http. |
This has been implemented - #6930 - that PR is just waiting on review; if that happens in the next day or two, this might get into the upcoming release. |
* set the Secure flag on auth cookies when appropriate fixes: #6912 * rename IsServerHttps to IsServerHTTPS * if server itself isn't using https, check to see if the proxy in front does * fix some tests
WASA scans reveal a low security finding when Kiali is served over HTTPS due to the
kiali-token-aes
only havingHTTPOnly
, without theSecure
attribute.The text was updated successfully, but these errors were encountered: