-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow CSRF cookie options to be set #104
Conversation
Without being able to set cookie options, I receive warnings when running the OWASP ZAP test because httpOnly and secure are not set on my csrf cookie. LGTM! EDIT: OWASP reference https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002) |
@doublerebel That's the main reason behind this PR as we performed an Acunetix audit on our applications and the only warning we had was with an insecure cookie (XSRF). Sadly, it's been quite a while since I made this pull request. Anyway, I've added the respective tests and improved cookie options validations. If you like, you can install lusca with this fix until it's merged using |
Hey @stgogm. We'll assess this PR this week. Thanks for submitting it. |
Seems fine from my perspective 👍 |
@grawk Awesome! Let me know if you need anything else. |
Hi @grawk Any news regarding this? |
Finally decided to take my own approach on this matter. If anyone else is interested, you're welcome to try Fi Aegis. We've forked this project and added some functionalities, improved documentation and made minor code optimizations. |
👍 , will get this in with 1.5.0 release. |
This fix allows us to set cookie options and maintain compatibility with current configurations.
Example configurations: